Formatting HTML Output
If you enter
a value that contains
double quotes in the Name field in the
validate_jstl.jsp --
or
validate_bean.jsp --
page, such as Prince,
“the artist”, submit the form and
look at the HTML code generated by the JSP page using your
browser’s View Source
function,
you see something like this:
<tr> <td>Name:</td> <td> <input type="text" name="userName" value="Prince, "the artist""> </td> </tr>
Note that the quotes have been replaced with
"
. What’s going on here?
This is the <c:out>
action’s doing, and it’s a very
good thing. In the JSP file, double quotes enclose the value of the
<input>
element’s
value
attribute. If the value itself includes a
double quote, the browser gets confused and interprets the first
double quote in the value as the end of the value. To prevent this
type of problem, the <c:out>
action converts
all problematic characters to their so-called HTML character-entity
equivalents. It converts single quotes, double quotes, less-than
symbols, greater-than symbols, and ampersands to the HTML character
entities '
,
"
, <
,
>
, and &
,
respectively. The browser handles the converted values without
problem.
Besides taking care of the problem with quotes in a dynamic value, this type of character conversion also offers some protection against what’s called a cross site scripting attack. What this means is that a malicious user submits input that causes problems when it’s displayed by the browser. If the special characters ...
Get JavaServer Pages, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.