File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

c:out vs ${bean.property}

 
Paul Cooper
Greenhorn
Posts: 9
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Or maybe the topic should be escaped text vs plain text in rendering JSP pages.

A colleague of mine just made a fairly staggering discovery, and it has pretty much changed my view of the EL vs basic <cut> statements, and I'm wondering what some of the high-end readers here think. Here's what we've discovered:

By default, <cut> seems to encode "illegal" characters, like <, >, &, etc, whereas ${bean.property} does not. So, if a user were to enter "</td></tr></table></body></html>" into a text field and then save the form, <cut value="${bean.property}"> would return "</td></tr>....", whereas the ${bean.property} would return the originally entered text, which would totally cripple the page. Eh?!?!? Javascript validation can get around some of this (I know because my topic above originally had < and > around the cut part, and the post told me to take them off), but these *can* be valid characters.....

I had, in the last couple of months, spent two weeks ripping all the <cut> statements out of my JSPs. It appears now that the decision to do that was clearly misguided, and I now have to spend two weeks putting them all *back* in!

Am I missing something here? It seems like a huge hole to allow text to be entered into a form that could potentially break the form display.....

Comments and perhaps an explanation would surely be welcome.

Paul Cooper
Software Developer
EMS Performance Improvement Center
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64196
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, any text that comes from an untrusted source should be encoded. They're not "illegal" characters -- it's quite possible that their use is perfectly legit. But they do need to be encoded so as not to boof up the page formatting as well as to guard against injection attacks.

As such, any display text that originates from an untrusted source, or that might contain markup characters, should be encoded via <cut> or by use of the fn:escapeXml() function.
[ December 04, 2006: Message edited by: Bear Bibeault ]
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic