tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Otmar Manuela <ot...@caribmedia.com>
Subject Re: What is the difference between ${param.P} and <%= request.getParameter("P") %>?
Date Fri, 11 Jun 2010 21:29:09 GMT
Thanks for the replies.  I figured out what was causing the problem.  I 
was using parameters with dashes in it and that was causing this 
problem.  Since I only tested with different parameters with dashes in 
them, I assume it was happening with all parameters.  My bad!

So the problem would not happen with ${param.P}, but only with 
${param.my-code}.  I guess with parameters with dashes in it, it treats 
it as a calculation and therefore returns a 0.

Regarding the javascript attack in the code sample, you are probably 
right.  I guess a <c:out> escaping the XML characters will probably help 
a lot already, but it does require more thought.

Otmar


On 6/9/2010 4:09 AM, Pid wrote:
> On 08/06/2010 19:06, Otmar Manuela wrote:
>    
>> Hi,
>>
>> I have a contact page, which contains a struts form.  However, on that
>> page, when trying to read the URL parameters, I get a zero instead of
>> the parameter value, unless I use<%= request.getParameter() %>.
>>
>> Example:
>>
>> URL loading the contact form page:
>> http://www.somedomain.com/contact.do?itemCode=ABC
>>
>> Contact Form Page:
>> ......
>> <p>Please send me info regarding ${param.itemCode}</p>
>> <html:form action="contactForm">
>> ....
>> ....
>> <html:submit>Submit</html:submit>
>> </html:form>
>> .....
>>
>>
>> The paragraph in the Contact Form page above shows "Please send me info
>> regarding 0".  If I change ${param.itemCode} with<%=
>> request.getParameter("itemCode") %>, I get "Please send me info
>> regarding ABC", which is what I want to show.
>> This is the first time I encountered this issue.  Normally both would
>> return the same thing.
>>
>> Any idea what is happening?  I'm trying to avoid the "<%=   %>" syntax
>> as much as possible.
>>      
> Hard to know which JSP version you're using without knowing which Tomcat
> version, and which version number you have in your web.xml.
>
> It's usually a good idea to tell us everything about your environment,
> including exact Tomcat, OS, JVM and any relevant library versions.
>
> If you want to use EL scripting then you may also need to check it's
> enabled by default (jsp-config section of web.xml if memory servers)
>
>
> p
>
>
> P.S. Also, the above code is probably horribly exposed to javascript
> attacks, you should not display raw parameter information anywhere in
> your HTML
>
>
>
>
>
>    
>> Thanks,
>>
>> Otmar
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>      
>
>    

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message