jsp - Is usage of <c:out> tag with escapeXml="false" equivalent to not using <c:out> tag? -
i have read using <c:out>
tag prevent xss attacks cases, example, displaying units superscript (kg/m3) using <c:out>
displayed plain text sup tag (kg/m<sup>3</sup>)
. in order display properly, escapexml="false"
has used.
<c:out value="${units}" escapexml="false></c:out>
but wondering whether using <c:out>
tag escapexml="false"
equivalent not using <c:out>
tag itself?
<c:out value="${units}" escapexml="false" />
this indeed equivalent not using <c:out>
, only in jsp 2.0 or newer.
${units}
in older jsp versions (jsp 1.x), el in template text above not supported , therefore <c:out>
way print el expressions.
Comments
Post a Comment