On Wed, 23 Mar 2005 19:38:39 +0000, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> Can some one shed some light on this mystery? Also I have heard that using EL
> outside of tags can be a security problem and that it is better to use a
> <c:out value="${EL}"/> instead.
The security part of this was mentioned on the list sometime in the
last couple of weeks. The <c:out/> tags will escape any
HTML-sensitive characters, but the straight EL language does not. So,
let's say that your variable 'EL' that you were using is a String:
"<script language=\"JavaScript\" href=\"nastybad.js\"></script>"
<c:out value="${EL}"/> would print:
<script language="JavaScript"
href="nastybad.js"></script> and the user would
just see the characters -- no harm done.
${EL} would just print the String, and whatever script is included in
'nastybad.js' would be executed on the end-user's machine.
If you are confident that the contents of your EL variable couldn't
possibly have any harmful HTML in them, go ahead and use ${EL}.
--
Jeff Beal
Webmedx, Inc.
Pittsburgh, PA USA
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
