Re: EL Mystery

Wed, 23 Mar 2005 13:13:28 -0800

The default for bean:write and c:out is to filter the content.  Both can have filtering turned off if you wish.

Shame the ${} notation filter by default :(

I didn't notice that in the documentation and assumed I could replace all my c:out's with ${} which is nicer to write.  Would be nice if they changed this behaviour in the next version.



Leon Rosenberg wrote: 
 
So, it's as much of security risk as bean:write? I mean you could turn the
filter off and get the same effect?

Leon

  
Von: Jeff Beal [mailto:[EMAIL PROTECTED]] 
Gesendet: Mittwoch, 23. März 2005 21:56
An: Struts Users Mailing List
Betreff: Re: EL Mystery

On Wed, 23 Mar 2005 19:38:39 +0000, 
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

    
Can some one shed some light on this mystery? Also I have 
      
heard that using EL outside of tags can be a security problem 
and that it is better to use a <c:out value="${EL}"/> instead.

The security part of this was mentioned on the list sometime 
in the last couple of weeks.  The <c:out/> tags will escape 
any HTML-sensitive characters, but the straight EL language 
does not.  So, let's say that your variable 'EL' that you 
were using is a String:
"<script language=\"_javascript_\" href=""

<c:out value="${EL}"/> would print:
&lt;script language=&quot;_javascript_&quot; 
href="" and the user 
would just see the characters -- no harm done.

${EL} would just print the String, and whatever script is 
included in 'nastybad.js' would be executed on the end-user's machine.

If you are confident that the contents of your EL variable 
couldn't possibly have any harmful HTML in them, go ahead and 
use ${EL}.

--
Jeff Beal
Webmedx, Inc.
Pittsburgh, PA USA

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


    



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  

-- 
Jason Lea


No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.1 - Release Date: 2005.03.23


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to