在JSTL / JSP中何时必须使用< c：out value =" $ {myVar}" />什么时候可以说$ {myVar} [英] In JSTL/JSP when do I have to use <c:out value="${myVar}"/> and when can I just say ${myVar}

问题描述

我在JSP代码中一直这样做：

I've been doing this the whole time in my JSP code:

<c:out value="${myVar}"/>

今天我第一次意识到我似乎能够使用这个更短的版本好吧：

Today I just realized for the first time that I seem to be able to use this shorter version just as well:

${myVar}

没有< c：out> ！

也许这是因为我的页面声明如下：

Perhaps this is because my page is declared like this:

<%@ page language="java" contentType="text/html; 
charset=utf-8" pageEncoding="utf-8" isELIgnored="false" %>

所以，我的问题是，我可以替换< c：out> 在我的代码中使用这个较短的版本？有没有理由继续使用< c：out> ？还是有些地方我可能还需要它？

So, my question is, can I replace <c:out> in my code with this shorter version? Is there any reason to keep using <c:out>? Or are there places where I might still need it?

推荐答案

< c：out> 不仅仅是输出文本。它逃脱了HTML特殊字符。每当您不完全确定文本中不包含以下任何字符时，请使用它（或$ {fn：escapeXml（）} ：，，<，>，& 。否则，您将拥有无效的HTML（在最好的情况下），页面损坏或跨站点脚本攻击（在最糟糕的情况）。

<c:out> does more than simply outputting the text. It escapes the HTML special chars. Use it (or ${fn:escapeXml()}) every time you're not absolutely sure that the text doesn't contain any of these characters: ", ', <, >, &. Else, you'll have invalid HTML (in the best case), a broken page, or cross-site scripting attacks (in the worst case).

我会给你一个简单的例子让你理解。如果你开发了一个论坛，有人发布了以下消息，你就不会使用< c：out> 显示此消息，您将遇到问题：

I'll give you a simple example so that you understand. If you develop a forum, and someone posts the following message, and you don't use <c:out> to display this message, you'll have a problem:

<script>while (true) alert("you're a loser");</script>

这篇关于在JSTL / JSP中何时必须使用< c：out value =" $ {myVar}" />什么时候可以说$ {myVar}的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！