java 在 JSTL/JSP 中我什么时候必须使用 <c:out value="${myVar}"/> 而我什么时候可以只说 ${myVar}
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6574776/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
In JSTL/JSP when do I have to use <c:out value="${myVar}"/> and when can I just say ${myVar}
提问by Cowhen
I've been doing this the whole time in my JSP code:
我一直在我的 JSP 代码中这样做:
<c:out value="${myVar}"/>
Today I just realized for the first time that I seem to be able to use this shorter version just as well:
今天我才第一次意识到我似乎也可以使用这个较短的版本:
${myVar}
It works without <c:out>!
它没有<c:out>!
Perhaps this is because my page is declared like this:
也许这是因为我的页面是这样声明的:
<%@ page language="java" contentType="text/html;
charset=utf-8" pageEncoding="utf-8" isELIgnored="false" %>
So, my question is, can I replace <c:out>in my code with this shorter version? Is there any reason to keep using <c:out>? Or are there places where I might still need it?
所以,我的问题是,我可以<c:out>用这个较短的版本替换我的代码吗?有什么理由继续使用<c:out>吗?或者有哪些地方我可能还需要它?
回答by JB Nizet
<c:out>does more than simply outputting the text. It escapes the HTML special chars. Use it (or ${fn:escapeXml()}) every time you're not absolutely sure that the text doesn't contain any of these characters: ", ', <, >, &. Else, you'll have invalid HTML (in the best case), a broken page, or cross-site scripting attacks (in the worst case).
<c:out>不仅仅是简单地输出文本。它转义了 HTML 特殊字符。or ${fn:escapeXml()}每次您不能完全确定文本不包含以下任何字符时,请使用它 ( ):", ', <, >, &. 否则,您将遇到无效的 HTML(在最好的情况下)、损坏的页面或跨站点脚本攻击(在最坏的情况下)。
I'll give you a simple example so that you understand. If you develop a forum, and someone posts the following message, and you don't use <c:out>to display this message, you'll have a problem:
我给你举个简单的例子,让你明白。如果你开发了一个论坛,有人发了下面的消息,而你又不习惯<c:out>显示这个消息,那你就出问题了:
<script>while (true) alert("you're a loser");</script>
回答by BalusC
Perhaps this is because my page is declared like this:
<%@ page language="java" contentType="text/html; charset=utf-8" pageEncoding="utf-8" isELIgnored="false" %>
也许这是因为我的页面是这样声明的:
<%@ page language="java" contentType="text/html; charset=utf-8" pageEncoding="utf-8" isELIgnored="false" %>
Untrue. Just <%@page pageEncoding="UTF-8" %>was been sufficient. The remnant is all already the default.
不真实。只要<%@page pageEncoding="UTF-8" %>是已经足够了。剩余的已经是默认的了。
EL in template text is supported since JSP 2.0 which goes hand in hand with Servlet 2.4 (which was already out since 2003... keep yourself up to date). So when you're running a Servlet 2.4 capable container (e.g. Tomcat 5.5 or newer) with a web.xmldeclared conform Servlet 2.4 API, then you'll be able to use EL in template text.
自 JSP 2.0 起就支持模板文本中的 EL,它与 Servlet 2.4 携手并进(自 2003 年以来已经推出......让自己保持最新状态)。因此,当您使用web.xml声明的符合 Servlet 2.4 API运行支持 Servlet 2.4 的容器(例如 Tomcat 5.5 或更新版本)时,您将能够在模板文本中使用 EL。
However, you should not use it to (re)display user-controlledinput. So, do not use it to (re)display (saved) request headers, request cookies, request URLs, request parameters, request bodies, etc. This will put doors open to XSS attacks.
但是,您不应使用它来(重新)显示用户控制的输入。因此,不要使用它来(重新)显示(保存)请求标头、请求 cookie、请求 URL、请求参数、请求正文等。这将为XSS 攻击敞开大门。
