how to add el code and jstl code to the textbox generated dyanmically like ${fn:escapeXml(param.foo)} as value of textbox.
问题:
回答1:
That's not possible. Webbrowser doesn't understand JSTL and EL code. It only understands HTML/CSS/JS code. This JSTL/EL code has to run in the webserver. Your best bet is to let JavaScript send an Ajax request to the server which in turn runs some JSP with JSTL/EL code and then returns the generated HTML response and finally let JavaScript display that HTML.
If your sole functional requirement is to HTML/XML-encode a JavaScript variable as fn:escapeXml()
does for JSP, then head to the answers of this question: HTML-encoding lost when attribute read from input field.
Please note that there is no XSS risk as long as the data is stored fully client side. Once you send the data to server and the server stores it and redisplays it to another enduser, then there's means of a XSS risk. For that fn:escapeXml()
in JSP can just be used since it's the server which redisplays it.
回答2:
if you generate dynamically textbox using javascript, you have page at client side so now you have no chance to substitute EL resolved..
回答3:
You can't do that. EL and JSTL get executed on the server. JavaScript gets executed on the client after that. JavaScript can't do anything to affect EL or JSTL.