Is usage of tag with escapeXml="false" equivalent to not using tag?

Question

I have read that using <c:out> tag will prevent XSS attacks but for some cases, say for example, displaying units with superscript (kg/m³) using <c:out> is displayed as plain text with sup tag (kg/m<sup>3</sup>). In order to display it properly, escapeXml="false" has to be used.

<c:out value="${units}" escapeXml="false></c:out>

But I was wondering whether using <c:out> tag with escapeXml="false" is equivalent to not using <c:out> tag itself?

Yes, it's equivalent to not using `c:out` at all. – JB Nizet Oct 03 '15 at 08:16 — JB Nizet, Oct 03 '15 at 08:16

score 1 · Answer 1 · edited Jun 20 '20 at 09:12

1

<c:out value="${units}" escapeXml="false" />

This is indeed equivalent to not using <c:out>, but only in JSP 2.0 or newer.

${units}

In older JSP versions (JSP 1.x), EL in template text like above was not supported and therefore <c:out> was the only way to print EL expressions.

Is usage of tag with escapeXml="false" equivalent to not using tag?

1 Answers1

See also: