Tag: out

The wcf:out tag is used to display the output to the user. This tag provides an option to use an encoding library to encode the output value, protecting against possible cross-site scripting attacks.

The implementation of the wcf:out tag checks for the <XSiteScriptingProtection enable="true"/> attribute in the wc-server.xml file. If the enable attribute is set to true, wcf:out checks whether an encoding library can be used for encoding the output value.

The wcf:out tag reads an XSiteEncoding.properties file to decide on the following properties:
  • The encoder class to use.
  • The encoder instance method to use.
  • The encoder methods for each of the escape formats.

Beginning in Fix Pack 6, the XSiteEncoding.properties file is provided in the WC_eardir/properties directory. By default, the file uses the following encoding class that handles JavaScript encoding: com.ibm.commerce.foundation.internal.client.taglib.util.XSiteEncoder. To see how the encoding class can be changed by using the OWASP ESAPI library, see the example in the Example section.

Tag information

Tag information
Body Content empty



Attribute Required Request-time Type Description
value true true java.lang.String That value that displays to the user.
escape false true java.lang.String A flag that indicates whether the value is to be escaped or not.
escapeFormat false true java.lang.String The escape format to use. The default value is xml. Other possible values are html, js, and url.


No variables are defined for the wcf:out tag.


The following example is a snippet of a XSiteEncoding.properties file that uses the OWASP ESAPI library for encoding:
#Begin XSiteEncoding.properties
#This file sets the encoder properties defined corresponding to OWASP library.

#The encoder class 

#The static instance method which returns the instance of the Encoder.

#The escape formats and their corresponding method in the Encoder instance.

#End XSiteEncoding.properties