Or maybe the topic should be escaped text vs plain text in rendering JSP pages.
A colleague of mine just made a fairly staggering discovery, and it has pretty much changed my view of the EL vs basic <cut> statements, and I'm wondering what some of the high-end readers here think. Here's what we've discovered:
I had, in the last couple of months, spent two weeks ripping all the <cut> statements out of my JSPs. It appears now that the decision to do that was clearly misguided, and I now have to spend two weeks putting them all *back* in!
Am I missing something here? It seems like a huge hole to allow text to be entered into a form that could potentially break the form display.....
Comments and perhaps an explanation would surely be welcome.
Paul Cooper Software Developer EMS Performance Improvement Center
Yes, any text that comes from an untrusted source should be encoded. They're not "illegal" characters -- it's quite possible that their use is perfectly legit. But they do need to be encoded so as not to boof up the page formatting as well as to guard against injection attacks.
As such, any display text that originates from an untrusted source, or that might contain markup characters, should be encoded via <cut> or by use of the fn:escapeXml() function. [ December 04, 2006: Message edited by: Bear Bibeault ]