Difference in HTML output from <c:out escapeXml="false"> and scriptlet
I am using JSTL to display my data from database in which records also contain some special characters. When I am displaying my record using JSTL as follows:
<c:out value="${record.fname}" escapeXml="false" />
Then I have to include escapeXml="false" in my code so that special characters be shown on my browser window. But when I remove it it just shows me the HTML code for that. But when I am displaying my record using a scriptlet as follows:
<%= record.getFname() %>
It automatically shows the special characters only instead of displaying the HTML codes for that.
I would like to mention I have already done my job, but just confused a little bit that which one is better.
Answer
c:out has escapeXml set by default to true, one purpose of this is to avoid cross site scripting, such as prevent execution of script or any other html tags and display them as text instead. So this is an extra feature in JSTL you can say. If you want to render c:out output as normal Html content you have to explicitly set escapeXml to false. But <%= record.getFname() %> , this is equivalent to plain out.println, which does not have this capability to escape Html tags.