在JSTL / JSP中何时必须使用< c:out value =" $ {myVar}" />什么时候可以说$ {myVar} [英] In JSTL/JSP when do I have to use <c:out value="${myVar}"/> and when can I just say ${myVar}
问题描述
我在JSP代码中一直这样做:
I've been doing this the whole time in my JSP code:
<c:out value="${myVar}"/>
今天我第一次意识到我似乎能够使用这个更短的版本好吧:
Today I just realized for the first time that I seem to be able to use this shorter version just as well:
${myVar}
没有< c:out>
!
也许这是因为我的页面声明如下:
Perhaps this is because my page is declared like this:
<%@ page language="java" contentType="text/html;
charset=utf-8" pageEncoding="utf-8" isELIgnored="false" %>
所以,我的问题是,我可以替换< c:out>
在我的代码中使用这个较短的版本?有没有理由继续使用< c:out>
?还是有些地方我可能还需要它?
So, my question is, can I replace <c:out>
in my code with this shorter version? Is there any reason to keep using <c:out>
? Or are there places where I might still need it?
推荐答案
< c:out>
不仅仅是输出文本。它逃脱了HTML特殊字符。每当您不完全确定文本中不包含以下任何字符时,请使用它(或$ {fn:escapeXml()}
:,,<,>,&
。否则,您将拥有无效的HTML(在最好的情况下),页面损坏或跨站点脚本攻击(在最糟糕的情况)。
<c:out>
does more than simply outputting the text. It escapes the HTML special chars. Use it (or ${fn:escapeXml()}
) every time you're not absolutely sure that the text doesn't contain any of these characters: ", ', <, >, &
. Else, you'll have invalid HTML (in the best case), a broken page, or cross-site scripting attacks (in the worst case).
我会给你一个简单的例子让你理解。如果你开发了一个论坛,有人发布了以下消息,你就不会使用< c:out>
显示此消息,您将遇到问题:
I'll give you a simple example so that you understand. If you develop a forum, and someone posts the following message, and you don't use <c:out>
to display this message, you'll have a problem:
<script>while (true) alert("you're a loser");</script>
这篇关于在JSTL / JSP中何时必须使用< c:out value =" $ {myVar}" />什么时候可以说$ {myVar}的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!