When should one use the <%- tag? Since the <%- is unescaped, wouldnt it just leave the application vulnerable to attacks?
Asked
Active
Viewed 65 times
-1
-
That depends on where the output is coming from. If it needs to be escaped because it's not trusted, you should clearly escape it. Other times you really don't want to escape the output. It all depends upon you. – adeneo Jul 25 '17 at 18:56
2 Answers
1
You'd use it when you have trusted HTML in a variable.
For example, if you were to run a chunk of data through a Markdown parser to generate HTML.
Quentin
- 914,110
- 126
- 1,211
- 1,335
0
I show you when yo need use each
CASE 1 <% ** DECLARE JAVA CLASS AND OBJECTS** %>
I use this form, when I need declare ArrayList, example Notice & Events, after this I can use the Form 1 to show data in some table
<%
boolean flag = false;
ArrayList<NoticiasyEventos> arrayNoticiasyEventos = (ArrayList<NoticiasyEventos>) request.getAttribute("arrayNoticiasyEventos");
if(arrayNoticiasyEventos != null){
flag = true;
}
%>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
</body>
</html>
CASE 2 <%= VALUE =>
In this case, I need get the specific value from Servlet, remember I declared ArrayList then I can use this array to get the value I need
<table>
<thead>
<tr>
<th>MÓDULO</th>
<th>CATEGORÍA</th>
<th>TÍTULO</th>
<th>RESUMEN</th>
<th>DETALLE</th>
<th>FECHA NOTICIA</th>
<th>IMAGEN</th>
<th>MODIFICAR</th>
<th>ESTADO</th>
</tr>
</thead>
<tbody>
<%
if(flag){
for (int i = 0; i < arrayNoticiasyEventos.size(); i++) {
%>
<tr>
<td ><%=arrayNoticiasyEventos.get(i).getDes_mod()%></td>
<td ><%=arrayNoticiasyEventos.get(i).getDes_cat()%></td>
<td ><%=arrayNoticiasyEventos.get(i).getDes_tit()%></td>
<td ><%=arrayNoticiasyEventos.get(i).getDet_res()%></td>
<td ><%=arrayNoticiasyEventos.get(i).getDes_det()%></td>
<td ><%=arrayNoticiasyEventos.get(i).getFec_not()%></td>
<td align='center'><img id='myImg' src='<%=arrayNoticiasyEventos.get(i).getUrl_img()%>' alt='<%=arrayNoticiasyEventos.get(i).getDes_tit()%>' width='80' height='65' onclick='modalI(this);' /></td>
<td align="center"><button class='btn green-meadow' style='width: 107px;' data-target='#modal_modificar_noticias_eventos' data-toggle='modal' onclick='buscarNoticiaXId(<%=arrayNoticiasyEventos.get(i).getCod_not_eve()%>);'>EDITAR</button></td>
<td align="center"><button class='btn blue' style='width: 107px;' data-target='#modal_desabilitar_noticia' data-toggle='modal' onclick='deshabilitarNoticiaXId(<%=arrayNoticiasyEventos.get(i).getCod_not_eve()%>);'>ACTIVO</button></td>
%>
</tr>
<%
}
}
%>
</tbody>
</table>
I hope I have helped, regards
