On Thu, 17 Mar 2005 16:18:25 -0500, Rick Reumann <[EMAIL PROTECTED]> wrote:
> Dakota Jack wrote the following on 3/17/2005 4:08 PM:
> > I think that Craig had mentioned that there were some security issues
> > or something, however, with not using the <c: blah blah. I did not
> > bother checking it out because I still use the <c: blah blah.
>
> wow, really? I'd like to know what they are. I love how much cleaner my
> code is without having to use c:out everywhere.
Expression evaluation doesn't filter out characters that are sensitive
in HTML (like '<'). Consider a common case where you accept input
from a user into a text field, store it in your database, and then
display it (on a different page) with something like this:
<td>${customer.name}</td>
Now, consider what happens if you have a malicious user who types
something like this into the name field:
<script language="JavaScript">...</script>
The unsuspecting user who displays this page will be executing
whatever JavaScript code replaces "...". That doesn't happen if you
use <c:out> (or <bean:write> in Struts) because, by default, the "<"
character gets emitted as "<" instead.
Craig
>
> --
> Rick
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
