In JSTL/JSP when do I have to use and when can I just say ${myVar}

Source : http://stackoverflow.com/questions/6574776/in-jstl-jsp-when-do-i-have-to-use-cout-value-myvar-and-when-can-i-just

In JSTL/JSP when do I have to use and when can I just say ${myVar}

I’ve been doing this the whole time in my JSP code:

<c:out value="${myVar}"/>

Today I just realized for the first time that I seem to be able to use this shorter version just as well:

${myVar}

It works without !

Perhaps this is because my page is declared like this:

<%@ page language="java" contentType="text/html; 
charset=utf-8" pageEncoding="utf-8" isELIgnored="false" %>

So, my question is, can I replace in my code with this shorter version? Is there any reason to keep using ? Or are there places where I might still need it?

Solution:

does more than simply outputting the text. It escapes the HTML special chars.
Use it (or ${fn:escapeXml()}) every time you’re not absolutely sure that the text doesn’t contain any of these characters: “, ‘, , &. Else, you’ll have invalid HTML (in the best case), a broken page, or cross-site scripting attacks (in the worst case).

I’ll give you a simple example so that you understand.
If you develop a forum, and someone posts the following message, and you don’t use to display this message, you’ll have a problem:

while (true) alert("problem");

 

About Vineet Verma

Developer/Blogger/Gamer/Lazy Couch Potato...:P Need PDF Books: Knowledge Base
This entry was posted in J2EE, Java, JSP. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s