About Question enthuware.jwpv6.2.1101 :

Moderator: admin

Post Reply
shareef.hiasat
Posts: 20
Joined: Thu Dec 19, 2013 8:22 am
Contact:

About Question enthuware.jwpv6.2.1101 :

Post by shareef.hiasat »

Greetings does the option

${htmltext}

will appear as escapeXml="false" by default or what because

the way i believe is by using EL function fn:escapeXml(string)


means if i use ${htmltext} it will appear as headin1 style not <h1>xxxx</h1> right

correct me if am wrong thanks

shareef.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.1101 :

Post by admin »

As the explanation says escapeXml is true by default. If you do not specify escapeXml='false', you will get <h1 instead of <h1. That is why you need to have escapeXml='false'.
If you like our products and services, please help us by posting your review here.

ednilsoncampos
Posts: 9
Joined: Wed Jun 17, 2015 6:19 pm
Contact:

Re: About Question enthuware.jwpv6.2.1101 :

Post by ednilsoncampos »

The only code who print html in H1 is ${htmltext}, the others don't

Code: Select all

<c:out value="${htmltext}" escapeXml='false' />
<c:out value="${htmltext}" escapeXml='true'/>
${htmltext}

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.1101 :

Post by admin »

Not sure what you mean. I just test it and only ${htmltext} is correct.
-Paul.
If you like our products and services, please help us by posting your review here.

webdeveloper
Posts: 8
Joined: Tue Jan 19, 2016 9:05 pm
Contact:

Re: About Question enthuware.jwpv6.2.1101 :

Post by webdeveloper »

I think, I did not understand this question.

Question: ".....message in htmltext is displayed in HEAD 1 style...."

I understood the question as the message has to be displayed in HEAD 1 style ( large bold style) and hence, the browser should render the tag. However, the explanation says that "...want to write <h1> and </h1> in the output..". ( my thought process was that if the browser has to render the tag then obviously, <h1> and </h1> should not be displayed and so I chose option a)

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.1101 :

Post by admin »

The explanation is talking about the output of the jsp/servlet i.e. the data that is sent to the browser. To display any text in HEAD1 style, you need to write<h1> and </h1> in your jsp's output.
If you like our products and services, please help us by posting your review here.

webdeveloper
Posts: 8
Joined: Tue Jan 19, 2016 9:05 pm
Contact:

Re: About Question enthuware.jwpv6.2.1101 :

Post by webdeveloper »

admin wrote:The explanation is talking about the output of the jsp/servlet i.e. the data that is sent to the browser. To display any text in HEAD1 style, you need to write<h1> and </h1> in your jsp's output.
Agreed, if this is what the question means.

But, the wording of the question is confusing- "...so that the message in htmltext is displayed in HEAD 1 style on the browser? " - for the message to be displayed in HEAD 1 style in the browser the browser should render <h1> </h1> tag.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.1101 :

Post by admin »

webdeveloper wrote:
admin wrote:The explanation is talking about the output of the jsp/servlet i.e. the data that is sent to the browser. To display any text in HEAD1 style, you need to write<h1> and </h1> in your jsp's output.
Agreed, if this is what the question means.

But, the wording of the question is confusing- "...so that the message in htmltext is displayed in HEAD 1 style on the browser? "

I am not sure what you find confusing in this. It clearly says, "displayed in HEAD 1 style on the browser. What do you think could be another interpretation?
- for the message to be displayed in HEAD 1 style in the browser the browser should render <h1> </h1> tag.

Right, that is why option 1 is incorrect because that option will not cause <h1> and </h1> to be inserted in the data generated by the given code, which is required for the browser to display html text in HEAD1 style.
If you like our products and services, please help us by posting your review here.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.1101 :

Post by admin »

OK, I think now I see what you mean. You mean <h1> and </h1> should also be displayed in HEAD1 style? That would really be a stretch :)
If you like our products and services, please help us by posting your review here.

disznoperzselo
Posts: 28
Joined: Fri Jan 02, 2015 12:13 pm
Contact:

Re: About Question enthuware.jwpv6.2.1101 :

Post by disznoperzselo »

Option 2 : <c:out value="${htmltext}" escapeXml='false' />
You claim that using escapeXml=false is dangerous because it opens the door for cross site scripting attacks.

What about the other Option 5 : ${htmltext} ?
Does it escape htmltext in case of
"<script>doSomethingEvil();</script>"
or using EL is dangerous because it opens the door for cross site scripting attacks.

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.jwpv6.2.1101 :

Post by admin »

As the explanation says, "Option 5 will work because it writes to the output exactly whatever is there in the string.", if you try output a a value input collected from the user on your JSP, this option is also dangerous.
If you like our products and services, please help us by posting your review here.

Post Reply

Who is online

Users browsing this forum: No registered users and 21 guests