Can you identify the bug in the piece of code below?

<a href=”javascript:void(0)” onclick=”foo(‘${bar}’)”>Moo</a>

Your code goes for a toss if bar contains single quotes.

When you are trying to mix JS and EL always use the JSTL tag c:out as this converts special characters into their respective HTML entities.

<a href=”javascript:void(0)” onclick=”foo(‘<c:out value=”bar”/>’)”>Moo</a>

Even if you are not mixing EL and JS, it is always safer to use JSTL c:out tag as, it gives you a certain amount of protection against script injection attacks.

Advertisements