Tag: out

The <wcf:out> tag is used to display the output to the user. This tag provides an option to use an encoding library to encode the output value, protecting against possible cross-site scripting attacks.

The <wcf:out> tag is used to check for the <XSiteScriptingProtection enable="true"/> attribute in the wc-server.xml file. If the enable attribute is set to true, <wcf:out> verifies that an encoding library can be used to encode the output value. If the enabled attribute is false, the <wcf:out> tag behaves like a <c:out> tag.

You can use the following syntax to escape Javascript special characters:
<wcf:out value="${localeValue}" escape="true" escapeFormat="js" />
This would escape the following characters:
<
>
&
'
"
\
\n
\r
\t
\f
The <wcf:out> tag reads an XSiteEncoding.properties file to decide on the following properties:
  • The encoder class to use.
  • The encoder instance method to use.
  • The encoder methods for each of the escape formats.

Tag information

Tag information
Body Content empty

Attributes

Attributes

Attribute Required Request-time Type Description
value true true java.lang.String That value that displays to the user.
escape false true java.lang.String A flag that indicates whether the value is to be escaped or not.
escapeFormat false true java.lang.String The escape format to use. The default value is xml. Other possible values are html, js, and url.

Variables

No variables are defined for the <wcf:out> tag.

Example

The following example is a snippet of a XSiteEncoding.properties file that uses the OWASP ESAPI library for encoding:
#Begin XSiteEncoding.properties
#This file sets the encoder properties defined corresponding to OWASP library.

#The encoder class 
EncoderClass=org.owasp.esapi.ESAPI

#The static instance method which returns the instance of the Encoder.
EncoderInstanceMethod=encoder

#The escape formats and their corresponding method in the Encoder instance.
js=encodeForJavaScript
html=encodeForHTML
xml=encodeForXML
url=encodeForURL

#End XSiteEncoding.properties