DEADALICE7000 DEADALICE7000 - 27 days ago 11
Java Question

How to display html tags in from sql query in Spring view - JSP

I'v a little problem with my Spring Boot application. I am fetching results from my MySQL and the plain text is for example:

<b>Hello World</b>


I am displaying it in the view, and the output I am getting is:

<b>Hello World</b>


I want to get this:
Hello World

How can I display those html tags (, , etc.)?

Answer

In a JSP, the <c:out value="${...}" /> tag automatically escapes the value so the characters <, >, &, ', and " will display correctly. This is as it should be, because without escaping your users may be vulnerable to cross-site scripting attacks.

There are two ways to insert HTML text without getting it escaped:

  • Ask the tag to not escape: <c:out value="${...}" escapeXml="false" />
  • Don't use the tag: ${...}

I'd recommend the first option, because it clearly documents that the lack of escaping is intentional.

Beware: If that text comes from a user, a malicious user may inject client-side scripts to attack all your other users.

Comments