On Wed, 23 Mar 2005 19:38:39 +0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Can some one shed some light on this mystery? Also I have heard that using EL > outside of tags can be a security problem and that it is better to use a > <c:out value="${EL}"/> instead. The security part of this was mentioned on the list sometime in the last couple of weeks. The <c:out/> tags will escape any HTML-sensitive characters, but the straight EL language does not. So, let's say that your variable 'EL' that you were using is a String: "<script language=\"JavaScript\" href=\"nastybad.js\"></script>" <c:out value="${EL}"/> would print: <script language="JavaScript" href="nastybad.js"></script> and the user would just see the characters -- no harm done. ${EL} would just print the String, and whatever script is included in 'nastybad.js' would be executed on the end-user's machine. If you are confident that the contents of your EL variable couldn't possibly have any harmful HTML in them, go ahead and use ${EL}. -- Jeff Beal Webmedx, Inc. Pittsburgh, PA USA --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]