Usage of defaultHtmlEscape web.xml in JSTL

Question

So I have set the following parameters in my web.xml:

<context-param>
    <param-name>defaultHtmlEscape</param-name>
    <param-value>true</param-value>
</context-param>

Will this automatically escape outputs for the field by only declaring in the JSP:

<input type="text" class="form-control" id="label" name="label" value="${field.label}">

or do I need to use the <spring:? Or use the <form: tags?

Update: This question is just a matter of yes/no. And maybe a brief answer regarding how to activate the params in the JSP-side. My question is after I set the params in web.xml. So do i need to use <spring: or <form: tags in the JSP or I can use plain <input type... tags?

possible duplicate of [How do I prevent people from doing XSS in Java?](http://stackoverflow.com/questions/2147958/how-do-i-prevent-people-from-doing-xss-in-java) — Roman C, Apr 15 '15 at 07:36
@RomanC Not really. My question is after I set the params in `web.xml`. So do i need to use ` — Vic Cebedo, Apr 15 '15 at 09:43

score 4 · Accepted Answer · answered Apr 15 '15 at 11:41

4

The escaping applies only to the Spring MVC tags. For example:

<form:input path="field" htmlEscape="true" />

answered Apr 15 '15 at 11:41

Fernando Lozano

352
2
11

Usage of defaultHtmlEscape web.xml in JSTL

1 Answers1