I've a field on a DB that contains an HTML text and I need to print it into a JSP page. How can I render the HTML? Using <c:out value="${text}" /> I can see the text with HTML tags. In other words, it is escaping the HTML.
Asked
Active
Viewed 5,726 times
2
BalusC
- 1,082,665
- 372
- 3,610
- 3,555
Andrea Girardi
- 4,337
- 13
- 69
- 98
-
1what do you mena by parse it? you wish to render it as html? – Saket Oct 09 '11 at 14:36
1 Answers
7
The <c:out> by default escapes XML entities <, >, &, " and ' to prevent XSS attacks.
So to solve your problem, either just don't use <c:out> (works on JSP 2.0 and newer):
${text}
or add the escapeXml="false" attribute:
<c:out value="${text}" escapeXml="false" />
You only need to ensure that this HTML is trusted, or this will be a very easy XSS attack hole. Jsoup may be helpful in this, see also XSS prevention in JSP/Servlet web application.
BalusC
- 1,082,665
- 372
- 3,610
- 3,555