JSP : JSTL's tag

Question

Writing a JSP page, what exactly does the <c:out> do? I've noticed that the following both has the same result:

<p>The person's name is <c:out value="${person.name}" /></p>
<p>The person's name is ${person.name}</p>

score 161 · Accepted Answer · edited Mar 12 '14 at 13:39

161

c:out escapes HTML characters so that you can avoid cross-site scripting.

if person.name = <script>alert("Yo")</script>

the script will be executed in the second case, but not when using c:out

edited Mar 12 '14 at 13:39

Mdhar9e

answered Nov 14 '08 at 19:05

krosenvold

2

Only if 'escapeXML' it set to true (not sure if it is by default) – Chris Serra Nov 14 '08 at 19:12
17

I believe it is true by default. – Zack The Human Jul 02 '09 at 17:02
7

N.B. it escapes XML not HTML. One of the more annoying subtleties of JSTL. I end up always writing my own HTML escape EL fn. – Adam Gent Jun 12 '11 at 18:16
5

The attribute name is case sensitive so it's escapeXml="true" not escapeXML – Mark Chorley Apr 08 '13 at 10:43
2

I have no idea what this answer's code sample is showing- can someone clarify? It mentions a "second case" but I don't see that and I don't see c:out being used in the code. – IcedDante Oct 02 '14 at 15:22
2

@IcedDante: the first case is the first code line mentioned by OP with the c:out. The second case is OP's second line of code – riddle_me_this Oct 05 '14 at 20:33
1

@AdamGent What problem do you solve by using your own HTML escape fn? – David Balažic Sep 27 '18 at 06:51
@DavidBalažic I don't use JSP anymore but: 1. attribute content escaping is different than text/tag content so you need two different functions even for the case of XML other wise the whitespace is ignored and 2. XML escaping is slightly different than HTML and this is why commons lang and various other libraries have different functions. – Adam Gent Oct 05 '18 at 12:42

score 130 · Answer 2 · edited Dec 10 '15 at 19:47

130

As said Will Wagner, in old version of jsp you should always use c:out to output dynamic text.

Moreover, using this syntax:

<c:out value="${person.name}">No name</c:out>

you can display the text "No name" when name is null.

edited Dec 10 '15 at 19:47

jpaugh

answered Nov 14 '08 at 19:34

alexmeia

Agreed, cool. Thanks for teaching and helping. I didn't know that either. Cheers! – B-Money Feb 07 '12 at 17:43
22

or – gmustudent Aug 21 '12 at 03:21
That is very cool, but I never see this mentioned anywhere. Do you have a link to the spec? – Thilo Nov 21 '12 at 05:50
2

JSR 52, maintenance release 2, see page 22 "with a body". Link: http://download.oracle.com/otndocs/jcp/jstl-1.2-mrel2-eval-oth-JSpec/ – Barett Dec 06 '12 at 23:12
1

@Barett. Cool. I wonder why this never makes any of the tutorials or examples. A more convenient syntax than the default attribute IMO. – Thilo Dec 27 '12 at 05:30

score 7 · Answer 3 · answered Nov 14 '08 at 19:21

7

c:out also has an attribute for assigning a default value if the value of person.name happens to be null.

answered Nov 14 '08 at 19:21

Chris Serra

score 6 · Answer 4 · answered Jul 02 '09 at 16:57

6

You can explicitly enable escaping of Xml entities by using an attribute escapeXml value equals to true. FYI, it's by default "true".

answered Jul 02 '09 at 16:57

Greenhorn

1

Some example code would really help make this answer complete. – RachelD Dec 10 '15 at 21:21

score 4 · Answer 5 · answered Nov 14 '08 at 19:03

4

Older versions of JSP did not support the second syntax.

answered Nov 14 '08 at 19:03

Will Wagner

5 Answers5