Craig McClanahan wrote:
(Note that you can get the same sort of filtering that <bean:write>hmm, wonder why I have always thought ${customer.id} would have escaping turned on? Maybe because <c:out ...> defaults to doing it by default?
does for you, to avoid cross site scripting attacks, by using things
like "<c:out value='${customer.id}'/>" instead of "${customer.id}" if
you need it.)
But reading the specs it does say the same thing you say above eg you need to use <c:out ...> to get that escaping.
I think I would prefer to have escaping on for almost all of my ${} expressions with only some exceptions having them turned off. In those cases I think it would be fine to use the <c:out ...> tag. I might have to go back and make sure my apps use <c:out ...> now instead of the easier to use ${} expression.
Unless there is some way to force escaping on for ${} expressions by default? Doesn't look like it to me :(
-- Jason Lea
-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2005.02.10
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
