I'm just going to worry about the cross-site-scripting problems caused by HTML and JS injection. CSRF doesn't seem to be an issue yet because just alerting “hello” doesn't have any active side-effects that you would have to be logged in to do.

我只是要担心由 HTML 和 JS 注入引起的跨站点脚本问题。CSRF 似乎还不是问题，因为仅仅提醒“你好”不会产生任何你必须登录才能执行的主动副作用。

The bonehead way of doing it:

这样做的笨蛋方法：

<script type="text/javascript">
    alert('Hello, <%= request.getParameter("name") %>');
</script>

This suffers from JS injection because there is no JS-escaping inside a JS string literal:

这会受到 JS 注入的影响，因为在 JS 字符串文字中没有 JS 转义：

name=');execute_arbitrary_code();'

and also suffers HTML injection because the enclosing script block can be closed early:

并且还遭受 HTML 注入，因为封闭的脚本块可以提前关闭：

name=</script><script>execute_arbitrary_code();//

Unfortunately there is no standard tag in JSP that will escape text in a JS string literal (that is itself in an HTML script block). You can write and use your own tag to do it, or reuse a library that defines one. For example OWASP ESAPI has:

不幸的是，JSP 中没有标准标签可以转义 JS 字符串文字（即 HTML 脚本块本身）中的文本。您可以编写和使用您自己的标签来完成它，或者重用定义了一个标签的库。例如 OWASP ESAPI 有：

<script type="text/javascript">
    alert('Hello, <esapi:encodeForJavaScript>${param.name}</esapi:encodeForJavaScript>');
</script>

But it is often easier to avoid encoding into JS, and instead push data through the DOM. Because the DOM is plain HTML, you only need normal markup escaping, which JSP has natively in the <c:out>tag.

但是通常更容易避免编码到 JS 中，而是通过 DOM 推送数据。因为 DOM 是纯 HTML，所以您只需要普通的标记转义，JSP 本身就在<c:out>标签中。

<input type="hidden" id="name-parameter" value="<c:out value="${param.name}"/>"/>
<script type="text/javascript">
    var name = document.getElementById('name-parameter').value;
    alert('Hello, '+name);
</script>

This aids in the long-term goal of keeping your JS separate from your markup and server-side code. data-attributes are another good way to pass data from markup to JS.

这有助于实现将 JS 与标记和服务器端代码分开的长期目标。data-属性是另一种将数据从标记传递到 JS 的好方法。