|
|
|
@ -57,7 +57,7 @@ import org.springframework.web.util.UriUtils; |
|
|
|
* over direct EL substitution as the values are URL encoded. Failure to properly |
|
|
|
* over direct EL substitution as the values are URL encoded. Failure to properly |
|
|
|
* encode URL can leave an application vulnerable to XSS and other injection attacks. |
|
|
|
* encode URL can leave an application vulnerable to XSS and other injection attacks. |
|
|
|
* |
|
|
|
* |
|
|
|
* <p>URLs can be HTML/XML escaped by setting the {@link #setHtmlEscape(String) |
|
|
|
* <p>URLs can be HTML/XML escaped by setting the {@link #setHtmlEscape(boolean) |
|
|
|
* 'htmlEscape'} attribute to 'true'. Detects an HTML escaping setting, either on |
|
|
|
* 'htmlEscape'} attribute to 'true'. Detects an HTML escaping setting, either on |
|
|
|
* this tag instance, the page level, or the {@code web.xml} level. The default |
|
|
|
* this tag instance, the page level, or the {@code web.xml} level. The default |
|
|
|
* is 'false'. When setting the URL value into a variable, escaping is not recommended. |
|
|
|
* is 'false'. When setting the URL value into a variable, escaping is not recommended. |
|
|
|
|
Nicholas Williams
11 years ago
committed by
Phillip Webb