tags:

views:

736

answers:

2
+3  Q: 

Is it really a best practice to use jstl out tag?

I remember working on a project with a group of developers and they always wanted static html text to be inside of an out tag (<c:out value="words" />). I don't remember why this was the case.

Is this really a best practice when building jsp pages? What are the advantages/disadvantages of such an approach?

+2  A: 

If you're just printing out plain text it's better to do it in html. The advantage of the c:out tag is that you can evaluate expressions inside the tag.

<c:out value="Hello ${user.firstName} ${user.lastName}"/>
Bill the Lizard  2008-10-20 19:19:25
That advantage disappears in Servlet Spec 2.3+, when the container is able to provide EL support directly. As such, c:out should not be used just to output EL in a Servlet Spec 2.3+ container, when Hello ${user.firstName} ${user.lastName} is more readable without the c:out around it.
MetroidFan2002  2008-10-20 19:55:10
Just be aware that EL does not escape special HTML characters. If the EL is outputting data supplied by a user theis leaves the application open to nasty security vulnerabilities such as cross-site scripting.
laz  2008-10-20 20:32:37
+8  A: 

It is a terrible idea for static text. You then have no barrier as to what is static and what is dynamically generated.

Besides which, on Servlet Spec 2.3+ you can have dynamic text mixed with static text as:

This is static, not ${dynamic} text.

The only reasons to use c:out tags, in my experience:

  1. You're using an older servlet spec, and need them to output DYNAMIC text in some fashion

  2. You want to escape HTML output to avoid using <>, etc, replacing ampersands with their control codes, etc.

Otherwise, having them use static text confuses the programmer or maintainer...now where did I put that EL? It was in a c:out tag...but so was fifty other lines of static text!

MetroidFan2002  2008-10-20 19:53:56
I think that escaping is the primary reason today to use c:out.
Peter Štibraný  2009-05-05 20:38:14
As long as you're not using an older servlet spec (which some people are still forced to do, unfortunately, luckily I am not one of these poor souls), I agree with you - the escaping XML is lovely.
MetroidFan2002  2009-05-06 02:10:26

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?