JSP : JSTL's <c:out> tag

Writing a JSP page, what exactly does the <c:out> do? I've noticed that the following both has the same result:

<p>The person's name is <c:out value="${person.name}" /></p>
<p>The person's name is ${person.name}</p>

Asked by: Marcus174 | Posted: 23-01-2022

Answer 1

c:out escapes HTML characters so that you can avoid cross-site scripting.

if person.name = <script>alert("Yo")</script>

the script will be executed in the second case, but not when using c:out

Answered by: Cadie642 | Posted: 24-02-2022

Answer 2

As said Will Wagner, in old version of jsp you should always use c:out to output dynamic text.

Moreover, using this syntax:

<c:out value="${person.name}">No name</c:out>

you can display the text "No name" when name is null.

Answered by: Chelsea832 | Posted: 24-02-2022

Answer 3

c:out also has an attribute for assigning a default value if the value of person.name happens to be null.

Source: out (TLDDoc Generated Documentation)

Answered by: Sawyer192 | Posted: 24-02-2022

Answer 4

You can explicitly enable escaping of Xml entities by using an attribute escapeXml value equals to true. FYI, it's by default "true".

Answered by: Freddie293 | Posted: 24-02-2022

Answer 5

Older versions of JSP did not support the second syntax.

Answered by: Joyce119 | Posted: 24-02-2022

Similar questions

java - <c:out> tag is not showing up in JSP nor does it work

Somehow, the &lt;c:out&gt; tag is not working at all. It doesn't show any alerts and it's just blank. It's like I never added the tag into the file. Here's my code: Connector.java: package connect; import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement;...

Still can't find your answer? Check out these amazing Java communities for help...

Java Reddit Community | Java Help Reddit Community | Dev.to Java Community | Java Discord | Java Programmers (Facebook) | Java developers (Facebook)