The default for bean:write and c:out is to filter the content. Both
can have filtering turned off if you wish. Shame the ${} notation filter by default :( I didn't notice that in the documentation and assumed I could replace all my c:out's with ${} which is nicer to write. Would be nice if they changed this behaviour in the next version. Leon Rosenberg wrote: So, it's as much of security risk as bean:write? I mean you could turn the filter off and get the same effect?LeonVon: Jeff Beal [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 23. März 2005 21:56 An: Struts Users Mailing List Betreff: Re: EL Mystery On Wed, 23 Mar 2005 19:38:39 +0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:Can some one shed some light on this mystery? Also I haveheard that using EL outside of tags can be a security problem and that it is better to use a <c:out value="${EL}"/> instead. The security part of this was mentioned on the list sometime in the last couple of weeks. The <c:out/> tags will escape any HTML-sensitive characters, but the straight EL language does not. So, let's say that your variable 'EL' that you were using is a String: "<script language=\"_javascript_\" href="" <c:out value="${EL}"/> would print: <script language="_javascript_" href="" and the user would just see the characters -- no harm done. ${EL} would just print the String, and whatever script is included in 'nastybad.js' would be executed on the end-user's machine. If you are confident that the contents of your EL variable couldn't possibly have any harmful HTML in them, go ahead and use ${EL}. -- Jeff Beal Webmedx, Inc. Pittsburgh, PA USA --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Jason Lea |
No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.8.1 - Release Date: 2005.03.23
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]