string 如何在 JSTL/EL 中连接和清理字符串?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9198156/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I concatenate and sanitize strings in JSTL/EL?
提问by Tom
I have a complicated set of nested functions that essentially sanitize data.
我有一组复杂的嵌套函数,它们基本上可以清理数据。
Let's pretend I want to emit a firstname-lastname combination that's been sanitized, but the names are presented as two separate variables.
让我们假设我想发出一个经过清理的名字-姓氏组合,但名称显示为两个单独的变量。
I realize I could simply emit each variable separately, wrapping each in the entire set of sanitizing functions, but that's both inelegant and dangerous: big chunks of hard-to-read, duplicate code that need to be kept in-sync over the lifetime of the app.
我意识到我可以简单地分别发出每个变量,将每个变量包装在整个清理函数集中,但这既不优雅又危险:大量难以阅读的重复代码需要在整个生命周期内保持同步应用程序。
In a real language, I would write something like this:
在真正的语言中,我会这样写:
${fn:trim(fn:replace(fn:replace(fn:replace(fn:replace(firstname + lastname, ..., ...), ..., ...), ..., ...), ..., ...))}
(Here, the plus represents a true-blue concatenation operator; javascript's '+', PHP's '.', etc.)
(这里,加号代表真正的蓝色连接运算符;javascript 的 '+'、PHP 的 '.' 等)
It also seems kind of absurd to use a separate statement to merely concatenate the variables beforehand.
使用单独的语句来预先连接变量似乎也有点荒谬。
Bottom line: this question has been asked a thousand times on the internet, but all the answers effectively dodge the question by proposing an alternative implementation. I want to know if this feature exists, and the documentation is worse than trivial.
底线:这个问题已经在互联网上被问了一千次,但所有的答案都通过提出替代实现有效地回避了这个问题。我想知道这个功能是否存在,文档比琐碎更糟糕。
Please, end my suffering and give me a straight answer.
请结束我的痛苦,给我一个直接的答案。
回答by BalusC
What exactly do you want to sanitize? HTML/XML special characters like <, >and so on to prevent XSS holes? If so, why not just using <c:out>?
你到底想消毒什么?HTML/XML 特殊字符,如 <,>等等以防止 XSS 漏洞?如果是这样,为什么不直接使用<c:out>?
<c:out value="${firstname} ${lastname}" />
If there's really more into the picture, cleanest would be to refactor that job into a public staticutility method, register it as an EL function and invoke it.
如果真的有更多内容,最干净的方法是将该作业重构为public static实用程序方法,将其注册为 EL 函数并调用它。
E.g.
例如
public final class Functions {
private Functions() {
// Hide c'tor in utility classes.
}
public static String sanitizeNames(String firstname, String lastname) {
// TODO: Implement.
return sanitizedFirstname + sanitizedLastname;
}
}
which is registered as follows in a /WEB-INF/functions.tldfile
在/WEB-INF/functions.tld文件中注册如下
<?xml version="1.0" encoding="UTF-8" ?>
<taglib
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd"
version="2.1">
<display-name>Custom Functions</display-name>
<tlib-version>1.0</tlib-version>
<uri>http://example.com/functions</uri>
<function>
<name>sanitizeNames</name>
<function-class>com.example.Functions</function-class>
<function-signature>java.lang.String sanitizeNames(java.lang.String, java.lang.String)</function-signature>
</function>
</taglib>
and is used as follows
并按如下方式使用
<%@taglib uri="http://example.com/functions" prefix="f" %>
...
${f:sanitizeNames(firstname, lastname)}
