If you enter a value that contains double quotes in the Name field in the validate_jstl.jsp -- or validate_bean.jsp -- page, such as Prince, “the artist”, submit the form and look at the HTML code generated by the JSP page using your browser’s View Source function, you see something like this:

<tr>
  <td>Name:</td>
  <td>
    <input type="text" name="userName"
      value="Prince, &#034;the artist&#034;">
  </td>
</tr>

Note that the quotes have been replaced with ". What’s going on here? This is the <c:out> action’s doing, and it’s a very good thing. In the JSP file, double quotes enclose the value of the <input> element’s value attribute. If the value itself includes a double quote, the browser gets confused and interprets the first double quote in the value as the end of the value. To prevent this type of problem, the <c:out> action converts all problematic characters to their so-called HTML character-entity equivalents. It converts single quotes, double quotes, less-than symbols, greater-than symbols, and ampersands to the HTML character entities ', ", <, >, and &, respectively. The browser handles the converted values without problem.

Besides taking care of the problem with quotes in a dynamic value, this type of character conversion also offers some protection against what’s called a cross site scripting attack. What this means is that a malicious user submits input that causes problems when it’s displayed by the browser. If the special characters ...