> It's as simple as just adding double quotes around the City name to define
> the boundaries of the string. If double quotes aren't used then you get the
> default behaviour that you described.
Yes, but note that this approach leaves open the cross-site scripting
security hole, for one thing. For example, if I set my city to:
"><script>alert('Look, ma, no hands')</script>
I can manipulate the browser (and potentially other people's browsers if
they are viewing the same data), because
> <input type="TEXT" name=City size="25" value="<%=table.getCity()%>">
gets rendered as
<input type="TEXT" name=City size="25" value=""><script>alert('Look, ma,
no hands')</script>">
Also, if table.getCity() is a string that includes a double-quote
character, it will still fail. They should be replaced by &qt; instead.
I usually use a helper function (static method) that translates:
'>' --> >
'<' --> <
'"' --> &qt;
'&' --> &
And of course any non-ASCII characters should be encoded to their hex
values (&#xx).
One of the most useful things for a tag library to do, IMHO, would be to
provide easy ways of encoding these values in an HTML-compliant manner.
Something like:
<html:encode id="table" property="city"/>
Cheers
Wes
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
