Wednesday, September 22, 2010

Use JSTL's "c:out" instead of ${} for display

JSTL has a tag called "c:out" which allows variables to be dumped to the screen. Here is an exmaple:

<c:out value="${aUrl}" />

But many people often ask why not use the less verbose method as follows:

${aUrl}

Although ${} is much simpler, there are many reasons for using c:out instead. One of the main reasons is escaping of HTML characters. If the variable holds a string that contains tags such as
<div> , then the browser will read it as a tag and screw up the layout of your page.

For a list of what gets escaped click here.

Escaping of user input is very important for security reasons. Recently, there has been an article on the net about how Twitter was hacked by "Javascript Injection". Here is one of the articles:

http://blog.trendmicro.com/twitter-mouseover-flaw-allows-script-injection/

Bascially, the problem for Twitter was that they were not escaping user input when displaying links. Had they used something similar to JSTL's c:out tag, then they would have been protected.

No comments:

Post a Comment