JSP : JSTL's <c:out> tag
Writing a JSP page, what exactly does the <c:out> do? I've noticed that the following both has the same result:
<p>The person's name is <c:out value="${person.name}" /></p>
<p>The person's name is ${person.name}</p>
Asked by: Marcus174 | Posted: 23-01-2022
Answer 1
c:out escapes HTML characters so that you can avoid cross-site scripting.
if person.name = <script>alert("Yo")</script>
the script will be executed in the second case, but not when using c:out
Answer 2
As said Will Wagner, in old version of jsp you should always use c:out to output dynamic text.
Moreover, using this syntax:
<c:out value="${person.name}">No name</c:out>
you can display the text "No name" when name is null.
Answered by: Chelsea832 | Posted: 24-02-2022Answer 3
c:out also has an attribute for assigning a default value if the value of person.name happens to be null.
Source: out (TLDDoc Generated Documentation)
Answered by: Sawyer192 | Posted: 24-02-2022Answer 4
You can explicitly enable escaping of Xml entities by using an attribute escapeXml value equals to true. FYI, it's by default "true".
Answered by: Freddie293 | Posted: 24-02-2022Answer 5
Older versions of JSP did not support the second syntax.
Answered by: Joyce119 | Posted: 24-02-2022Similar questions
java - <c:out> tag is not showing up in JSP nor does it work
Somehow, the <c:out> tag is not working at all. It doesn't show any alerts and it's just blank. It's like I never added the tag into the file. Here's my code:
Connector.java:
package connect;
import java.io.IOException;
import java.io.PrintWriter;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;...
Still can't find your answer? Check out these amazing Java communities for help...
Java Reddit Community | Java Help Reddit Community | Dev.to Java Community | Java Discord | Java Programmers (Facebook) | Java developers (Facebook)