significance of using c:out tag

Question

I have two jsp files written as below

index.jsp

<form action="process.jsp" method="post">
FirstName:<input type="text" name="fname"/><br/>
LastName:<input type="text" name="lname"/><br/>
<input type="submit" value="submit"/>
</form>

process.jsp

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>

First Name:<c:out value="${param.fname}"></c:out><br/>
Last Name:<c:out value="${param.lname}"></c:out>
</br>
First Name:${param.fname}
</br>
Last Name:${param.lname}

when we give some input I get I get the same output:

First Name:nm
Last Name:nm 
First Name:nm 
Last Name:nm

so I am little bit confuse that what is the significance of using c:out tag?? if we can do the same work without c:out then why we have this tag available in JSP. I am new to EL that's why asking silly question..

try assigning value `` to `param.fname` and try both approaches — jmj, Jul 12 '15 at 09:38

score 0 · Accepted Answer · answered Jul 12 '15 at 11:29

c:out tag not only prints the characters but also escapes HTML characters.Thus prevents possible cross-site scripting attacks. XSS

if param.fname is set to something like below:

 param.fname = <script>while (true) alert("possible cross scripting attack");</script>

This script will be executed in the case of ${param.fname}. But it will not be executed in case of c:out tag.

significance of using c:out tag

1 Answers1