开发者

Render HTML unescaped in a JSP page

开发者 https://www.devze.com 2023-04-11 14:33 出处：网络

I\'ve a field on a DB that contains an HTML text and I need to print it into a JSP page. How can I render the HTML? Using <c:out value=\"${text}\" /> I can see the text with HTML tags. In other

相关专题：

I've a field on a DB that contains an HTML text and I need to print it into a JSP page. How can I render the HTML? Using <c:out value="${text}" /> I can see the text with HTML tags. In other words, it i开发者_Python百科s escaping the HTML.

The <c:out> by default escapes XML entities <, >, &, " and ' to prevent XSS attacks.

So to solve your problem, either just don't use <c:out> (works on JSP 2.0 and newer):

${text}

or add the escapeXml="false" attribute:

<c:out value="${text}" escapeXml="false" />

You only need to ensure that this HTML is trusted, or this will be a very easy XSS attack hole. Jsoup may be helpful in this, see also XSS prevention in JSP/Servlet web application.