c:out escapes HTML characters so that you can avoid cross-site scripting.
if person.name = <script>alert("Yo")</script>
the script will be executed in the second case, but not when using c:out
As said Will Wagner, in old version of jsp you should always use c:out to output dynamic text.
Moreover, using this syntax:
<c:out value="${person.name}">No name</c:out>
you can display the text "No name" when name is null.
c:out also has an attribute for assigning a default value if the value of person.name happens to be null.
Source: out (TLDDoc Generated Documentation)
You can explicitly enable escaping of Xml entities by using an attribute escapeXml value equals to true. FYI, it's by default "true".
Older versions of JSP did not support the second syntax.
Follow WeChat
Success story sharing
Want to stay one step ahead of the latest teleworks?
Subscribe Now相似问题
- JSP tricks to make templating easier?
- What is the difference between JSF, Servlet and JSP?
- How can I avoid Java code in JSP files, using JSP 2?
- How to submit form on change of dropdown list?
- SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder"
- Include another JSP file
- What's the difference between including files with JSP include directive, JSP include action and using JSP Tag Files?
- Why is printing "B" dramatically slower than printing "#"?
