Do JSTL tags automatically escape HTML?

Question

In JSTL an expression such as

<c:out value="${user.firstName}"/> will escape any HTML as contained in user.firstName.

However, does it apply to all JSTL tags? For instance, will an expression like

href="<c:url value="/users/">
<c:param name="firstName" value="${user.firstName}"/>
</c:url>"

also escape HTML?

Answer 1

No, no tag except <c:out> escapes XML. For example: <fmt:message> doesn't escape XML. This allows placing HTML markup or escape sequences in the resource bundle.

<c:param> url-encodes the parameter value. But placing two <c:param> inside a single <c:url> will produce an unescaped &: someUrl?foo=bar&baz=zim. To properly escape this &, store the URL inside a variable, and use <c:out> or fn:escapeXml to escape the variable:

<c:url var="someUrl" var="theUnescapedUrl">
    <c:param name="foo" value="bar"/>
    <c:param name="baz" value="zim"/>
</c:url>
<a href="<c:out value='${theUnescapedUrl}'/>">click here</a>

or

<a href="${fn:escapeXml(theUnescapedUrl)}">click here</a>