Enthuware

Greetings does the option

${htmltext}

will appear as escapeXml="false" by default or what because

the way i believe is by using EL function fn:escapeXml(string)


means if i use ${htmltext} it will appear as headin1 style not <h1>xxxx</h1> right

correct me if am wrong thanks

shareef.

As the explanation says escapeXml is true by default. If you do not specify escapeXml='false', you will get <h1 instead of <h1. That is why you need to have escapeXml='false'.

The only code who print html in H1 is ${htmltext}, the others don't

Not sure what you mean. I just test it and only ${htmltext} is correct.
-Paul.

I think, I did not understand this question.

Question: ".....message in htmltext is displayed in HEAD 1 style...."

I understood the question as the message has to be displayed in HEAD 1 style ( large bold style) and hence, the browser should render the tag. However, the explanation says that "...want to write <h1> and </h1> in the output..". ( my thought process was that if the browser has to render the tag then obviously, <h1> and </h1> should not be displayed and so I chose option a)

The explanation is talking about the output of the jsp/servlet i.e. the data that is sent to the browser. To display any text in HEAD1 style, you need to write<h1> and </h1> in your jsp's output.

admin wrote:The explanation is talking about the output of the jsp/servlet i.e. the data that is sent to the browser. To display any text in HEAD1 style, you need to write<h1> and </h1> in your jsp's output.

Agreed, if this is what the question means.

But, the wording of the question is confusing- "...so that the message in htmltext is displayed in HEAD 1 style on the browser? " - for the message to be displayed in HEAD 1 style in the browser the browser should render <h1> </h1> tag.

webdeveloper wrote:

admin wrote:The explanation is talking about the output of the jsp/servlet i.e. the data that is sent to the browser. To display any text in HEAD1 style, you need to write<h1> and </h1> in your jsp's output.

Agreed, if this is what the question means.

But, the wording of the question is confusing- "...so that the message in htmltext is displayed in HEAD 1 style on the browser? "

I am not sure what you find confusing in this. It clearly says, "displayed in HEAD 1 style on the browser. What do you think could be another interpretation?

- for the message to be displayed in HEAD 1 style in the browser the browser should render <h1> </h1> tag.

Right, that is why option 1 is incorrect because that option will not cause <h1> and </h1> to be inserted in the data generated by the given code, which is required for the browser to display html text in HEAD1 style.

OK, I think now I see what you mean. You mean <h1> and </h1> should also be displayed in HEAD1 style? That would really be a stretch

Option 2 : <c:out value="${htmltext}" escapeXml='false' />
You claim that using escapeXml=false is dangerous because it opens the door for cross site scripting attacks.

What about the other Option 5 : ${htmltext} ?
Does it escape htmltext in case of
"<script>doSomethingEvil();</script>"
or using EL is dangerous because it opens the door for cross site scripting attacks.

As the explanation says, "Option 5 will work because it writes to the output exactly whatever is there in the string.", if you try output a a value input collected from the user on your JSP, this option is also dangerous.