Wednesday, September 22, 2010

Use JSTL's "c:out" instead of ${} for display

JSTL has a tag called "c:out" which allows variables to be dumped to the screen. Here is an exmaple:

<c:out value="${aUrl}" />

But many people often ask why not use the less verbose method as follows:


Although ${} is much simpler, there are many reasons for using c:out instead. One of the main reasons is escaping of HTML characters. If the variable holds a string that contains tags such as
<div> , then the browser will read it as a tag and screw up the layout of your page.

For a list of what gets escaped click here.

Escaping of user input is very important for security reasons. Recently, there has been an article on the net about how Twitter was hacked by "Javascript Injection". Here is one of the articles:

Bascially, the problem for Twitter was that they were not escaping user input when displaying links. Had they used something similar to JSTL's c:out tag, then they would have been protected.

Tuesday, September 14, 2010

spring 3 mvc annotation-driven with DWR annotations

I am currently working on a new project that uses Spring 3 MVC Annotation-driven model. I had used DWR on previous projects successfully, but without using annotations, and relying on XML configuration.

After having played around with Spring's annotation driven model, I found it much easier than it's XML counterpart, and so I was determined to get DWR working in the same manner.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns=""

    <!-- ================================== DWR configurations ===================================== -->    
        <dwr:convert type="bean" class="" />    
    <dwr:annotation-config />
    <dwr:url-mapping />
    <dwr:controller id="dwrController" debug="true" />    
    <!-- Configures the @Controller programming model -->
    <mvc:annotation-driven />

    <!-- Forwards requests to the "/" resource to the "welcome" view -->
    <mvc:view-controller path="/" view-name="welcome"/>
    <mvc:view-controller path="/*" />

    <!-- Configures Handler Interceptors -->    
        <!-- Changes the locale when a 'locale' request parameter is sent; e.g. /?locale=de -->
        <bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor" />

    <!-- Saves a locale change using a cookie -->
    <bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver" />

    <!-- Resolves view names to protected .jsp resources within the /WEB-INF/views directory -->
    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/WEB-INF/views/"/>
        <property name="suffix" value=".jsp"/>



  <!-- =============
   ============  -->
    <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>

    <!-- =================
     ================  -->
    <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
  <!--  DWR -->
    <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>

And then to verify that it DWR is integrated correctly you can visit: