About Question enthuware.jwpv6.2.1101 :
Moderator: admin
-
- Posts: 20
- Joined: Thu Dec 19, 2013 8:22 am
- Contact:
About Question enthuware.jwpv6.2.1101 :
Greetings does the option
${htmltext}
will appear as escapeXml="false" by default or what because
the way i believe is by using EL function fn:escapeXml(string)
means if i use ${htmltext} it will appear as headin1 style not <h1>xxxx</h1> right
correct me if am wrong thanks
shareef.
${htmltext}
will appear as escapeXml="false" by default or what because
the way i believe is by using EL function fn:escapeXml(string)
means if i use ${htmltext} it will appear as headin1 style not <h1>xxxx</h1> right
correct me if am wrong thanks
shareef.
-
- Site Admin
- Posts: 10066
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.1101 :
As the explanation says escapeXml is true by default. If you do not specify escapeXml='false', you will get <h1 instead of <h1. That is why you need to have escapeXml='false'.
If you like our products and services, please help us by posting your review here.
-
- Posts: 9
- Joined: Wed Jun 17, 2015 6:19 pm
- Contact:
Re: About Question enthuware.jwpv6.2.1101 :
The only code who print html in H1 is ${htmltext}, the others don't
Code: Select all
<c:out value="${htmltext}" escapeXml='false' />
<c:out value="${htmltext}" escapeXml='true'/>
${htmltext}
-
- Site Admin
- Posts: 10066
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.1101 :
Not sure what you mean. I just test it and only ${htmltext} is correct.
-Paul.
-Paul.
If you like our products and services, please help us by posting your review here.
-
- Posts: 8
- Joined: Tue Jan 19, 2016 9:05 pm
- Contact:
Re: About Question enthuware.jwpv6.2.1101 :
I think, I did not understand this question.
Question: ".....message in htmltext is displayed in HEAD 1 style...."
I understood the question as the message has to be displayed in HEAD 1 style ( large bold style) and hence, the browser should render the tag. However, the explanation says that "...want to write <h1> and </h1> in the output..". ( my thought process was that if the browser has to render the tag then obviously, <h1> and </h1> should not be displayed and so I chose option a)
Question: ".....message in htmltext is displayed in HEAD 1 style...."
I understood the question as the message has to be displayed in HEAD 1 style ( large bold style) and hence, the browser should render the tag. However, the explanation says that "...want to write <h1> and </h1> in the output..". ( my thought process was that if the browser has to render the tag then obviously, <h1> and </h1> should not be displayed and so I chose option a)
-
- Site Admin
- Posts: 10066
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.1101 :
The explanation is talking about the output of the jsp/servlet i.e. the data that is sent to the browser. To display any text in HEAD1 style, you need to write<h1> and </h1> in your jsp's output.
If you like our products and services, please help us by posting your review here.
-
- Posts: 8
- Joined: Tue Jan 19, 2016 9:05 pm
- Contact:
Re: About Question enthuware.jwpv6.2.1101 :
Agreed, if this is what the question means.admin wrote:The explanation is talking about the output of the jsp/servlet i.e. the data that is sent to the browser. To display any text in HEAD1 style, you need to write<h1> and </h1> in your jsp's output.
But, the wording of the question is confusing- "...so that the message in htmltext is displayed in HEAD 1 style on the browser? " - for the message to be displayed in HEAD 1 style in the browser the browser should render <h1> </h1> tag.
-
- Site Admin
- Posts: 10066
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.1101 :
webdeveloper wrote:Agreed, if this is what the question means.admin wrote:The explanation is talking about the output of the jsp/servlet i.e. the data that is sent to the browser. To display any text in HEAD1 style, you need to write<h1> and </h1> in your jsp's output.
But, the wording of the question is confusing- "...so that the message in htmltext is displayed in HEAD 1 style on the browser? "
I am not sure what you find confusing in this. It clearly says, "displayed in HEAD 1 style on the browser. What do you think could be another interpretation?
- for the message to be displayed in HEAD 1 style in the browser the browser should render <h1> </h1> tag.
Right, that is why option 1 is incorrect because that option will not cause <h1> and </h1> to be inserted in the data generated by the given code, which is required for the browser to display html text in HEAD1 style.
If you like our products and services, please help us by posting your review here.
-
- Site Admin
- Posts: 10066
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.1101 :
OK, I think now I see what you mean. You mean <h1> and </h1> should also be displayed in HEAD1 style? That would really be a stretch
If you like our products and services, please help us by posting your review here.
-
- Posts: 28
- Joined: Fri Jan 02, 2015 12:13 pm
- Contact:
Re: About Question enthuware.jwpv6.2.1101 :
Option 2 : <c:out value="${htmltext}" escapeXml='false' />
You claim that using escapeXml=false is dangerous because it opens the door for cross site scripting attacks.
What about the other Option 5 : ${htmltext} ?
Does it escape htmltext in case of
"<script>doSomethingEvil();</script>"
or using EL is dangerous because it opens the door for cross site scripting attacks.
You claim that using escapeXml=false is dangerous because it opens the door for cross site scripting attacks.
What about the other Option 5 : ${htmltext} ?
Does it escape htmltext in case of
"<script>doSomethingEvil();</script>"
or using EL is dangerous because it opens the door for cross site scripting attacks.
-
- Site Admin
- Posts: 10066
- Joined: Fri Sep 10, 2010 9:26 pm
- Contact:
Re: About Question enthuware.jwpv6.2.1101 :
As the explanation says, "Option 5 will work because it writes to the output exactly whatever is there in the string.", if you try output a a value input collected from the user on your JSP, this option is also dangerous.
If you like our products and services, please help us by posting your review here.
Who is online
Users browsing this forum: No registered users and 92 guests