JSP programming best practice: Use the escapeXml attribute to preserve HTML formatting

By default, the value of the escapeXml attribute of the JSTL <c:out> tag is true. This default behavior ensures that HTML special characters, such as <, >, &, ', or ", contained in output strings are converted into their corresponding character entity codes and displayed properly in the HTML page produced by the JSP page. In some common HCL Commerce store scenarios, however, this behavior is counterproductive. One such scenario is the display of prices in globalized stores:

Important: Only set the escapeXML attribute to false when you are accessing internal parameters, not parameters or attributes that are specified on the URL. Pages are susceptible to XSS attack when using unescaped URL parameters.

<c:out value="${product.listPrice}" />

As the Japanese yen symbol, yen, is displayed using the &yen; named character entity, the default conversion will result in the price of yen3,544 being displayed as &yen;3,544.

To prevent the conversion, escapeXml should be explicitly set to false as follows:


<c:out value="${product.listPrice}" escapeXml="false" />

Another common scenario is the display of user-supplied text, such as product descriptions or dynamic text messages. If you expect advanced users to use HTML tags for formatting, such as line breaks or bulleted lists, set the escapeXml attribute of the <c:out> tag used to display the text to false as in the following example:


<c:out value="${productPromotion.longDescriptionString}"
escapeXml="false" />