Escape special characters
Beware of common hacks
"blah"
instead of "blah"
. (A simple search for the text '"'
will return numerous examples of such errors.)
This is caused by overzealous escaping of special characters.
The ampersand character '&'
, in particular, is doubly
special: it is both a special character, and forms part of the escape
mechanism itself, as in '>'
and '"'
.
If text containing any special character is escaped twice, then the above mentioned problem occurs. A simple example shows why:
"blah"
(including quotes)"blah"
(still renders
as "blah"
)"blah"
(renders as "blah"
). Note the doubly escaped
ampersand.<c:out>
in JSTL