Is nesting a c:out JSTL tag inside an element attribute a good practice or

Question

0

Asked: May 26, 20262026-05-26T03:59:02+00:00 2026-05-26T03:59:02+00:00

Is nesting a c:out JSTL tag inside an element attribute a good practice or

0

Is nesting a c:out JSTL tag inside an element attribute a good practice or is using the var attribute of c:out generally preferred? It seems to work either way, but I suspect nesting it might not work in some application servers or versions of JSP (and it just looks wrong).

For example, an input element which has its value restored on validation failure, and with special character escaping:

<input type="text" name="firstname" value="<c:out value="${param.firstname}"/>"/>

versus:

<c:out value="${param.firstname}" var="firstname"/>
<input type="text" name="firstname" value="${firstname}"/>

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-26T03:59:03+00:00

Editorial Team

2026-05-26T03:59:03+00:00Added an answer on May 26, 2026 at 3:59 am

The common practice to prevent XSS attacks in HTML element attributes without disturbing the well formed XML syntax by a nested <c:out> tag is using fn:escapeXml() function instead:

<input type="text" name="firstname" value="${fn:escapeXml(param.firstname)}"/>

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Is nesting a c:out JSTL tag inside an element attribute a good practice or

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply