Getting wrong characters in parameter

Question

In files.jsp I am using following anchor and JSTL c:url combination -

<c:url value="downloadfile.jsp" var="dwnUrl" scope="request">
  <c:param name="fileType" value="PDF"/>
  <c:param name="fileId" value="${file.fileId}"/>
  <c:param name="fileName" value="${file.fileName}"/>
  </c:url>
<a href="${dwnUrl}">Download</a>

On downloadfile.jsp getting the file name value in JavaScript variable as -

selectedFile = <c:out value='${param.fileName}'>

Now, if file name contains some extra character e.g. XYZ 2/3" Technical then on the other page I am getting some different character as - XYZ 2/3#034; Technical

However, if I print request.getParameter("fileName"), its giving correct name. What is wrong?

Answer 1

The funky characters in your <c:param> values are being URL encoded by <c:url> as they should be. As far as downloadfile.jsp is concerned, the servlet container takes care of URL decoding incoming variables so you don't have to. This is normal behavior and shouldn't pose any problems for you.

Answer 2

The <c:out> by default escapes XML entities, such as the doublequote. This is done so to get well-formed XML and to avoid XSS.

To fix this, you should either get rid of <c:out>, since JSP 2.0, EL works perfectly fine in template text as well:

selectedFile = '${param.fileName}';

.. or, if you're still on legacy JSP 1.2 or older, set its escapeXml attribute to false:

selectedFile = '<c:out value="${param.fileName}" escapeXml="false">';

Note that I have added the singlequotes and semicolon to make JS code valid.

Needless to say, you'll need to keep XSS risks in mind if you do so.