DO NOT PERFORM xml escaping.
99% of mine usage of both is to produce texts (text elements, or attribute values).
Only 1% of mine situations contain markup inside "exp" expression.
As EL values come from various and 99% enescaped sources (params,resources, db...)
I have to use c:out or fn:escapeXml over and over which enlarges the source code,
and creates unnecesary mess.
This is very sad, and I would like to propose new $$ operator for EL
which I would like to use as default,
(shall I implement this my self ? How ? When ? Where ?)
or I have missed some trivial trick ?
The hope for declarative tag based markup, disapears soon with my paranoid escaping of output:
<fmt:setBundle var="localizationContext" basename="tags" />
<c:set var="bundle" value="${localizationContext.resourceBundle}" />
.....
<fmt:message bundle="${localizationContext}" key="fileTable.lastModified" var="strLastModified"/>
<c:out value="${strLastModified}"/>
the last two lines hurt my eyes,
and polute pageScope with useless variable,
so I tend to rewrite it soon into:
${fn:escapeXml(bundle['fileTable.lastModified'])}
Apart from losing the declarative beauty, I have no clue about runtime consequences ;-) I have to read, thing and reverse engineer maybe a bit.
Please is anyone willing to educate me ?
Thanx.
Update:
c:out CAN HAVE BODY,just stupid design,
since it MUST have value attribute.
Only when value is null, the body is processed.
<c:out value="${null}">
<fmt:message bundle="${localizationContext}" key="parametrized.markup">
<fmt:param value="${bundle['namespaced.markup']}"/>
<fmt:param value="${fn:escapeXml(bundle['namespaced.markup'])}"/>
<!-- probably wrong, double escaping -->
</fmt:message>
</c:out>
This can save us from exporting strLastModified.
But, how do you specify null in EL ?
After reading specs again I have found
NullLiteral ::= 'null'
Look at MS ideas here:
http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx
No comments:
Post a Comment