The moose likes JSP and the fly likes c:out vs ${} Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "c:out vs ${}" Watch "c:out vs ${}" New topic

c:out vs ${}

Paul Cooper

Joined: Jan 30, 2006
Posts: 9
Or maybe the topic should be escaped text vs plain text in rendering JSP pages.

A colleague of mine just made a fairly staggering discovery, and it has pretty much changed my view of the EL vs basic <cut> statements, and I'm wondering what some of the high-end readers here think. Here's what we've discovered:

By default, <cut> seems to encode "illegal" characters, like <, >, &, etc, whereas ${} does not. So, if a user were to enter "</td></tr></table></body></html>" into a text field and then save the form, <cut value="${}"> would return "</td></tr>....", whereas the ${} would return the originally entered text, which would totally cripple the page. Eh?!?!? Javascript validation can get around some of this (I know because my topic above originally had < and > around the cut part, and the post told me to take them off), but these *can* be valid characters.....

I had, in the last couple of months, spent two weeks ripping all the <cut> statements out of my JSPs. It appears now that the decision to do that was clearly misguided, and I now have to spend two weeks putting them all *back* in!

Am I missing something here? It seems like a huge hole to allow text to be entered into a form that could potentially break the form display.....

Comments and perhaps an explanation would surely be welcome.

Paul Cooper
Software Developer
EMS Performance Improvement Center
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63865

Yes, any text that comes from an untrusted source should be encoded. They're not "illegal" characters -- it's quite possible that their use is perfectly legit. But they do need to be encoded so as not to boof up the page formatting as well as to guard against injection attacks.

As such, any display text that originates from an untrusted source, or that might contain markup characters, should be encoded via <cut> or by use of the fn:escapeXml() function.
[ December 04, 2006: Message edited by: Bear Bibeault ]

[Asking smart questions] [About Bear] [Books by Bear]
I agree. Here's the link:
subject: c:out vs ${}
It's not a secret anymore!