JSP/Servlet | JSTL(JSP Standard Tag Library) | Output and Variables <c:out>, <c:set>, <c:remove>
When learning programming, variables are one of the first things you learn. JSTL also has tags for handling variables. This section explains variable output, declaration, and deletion.
Output <c:out>
Attributes
| Item | Description | Required | Default |
|---|---|---|---|
| value | Value to output | Required | |
| default | Alternative value output when the variable is null | body | |
| escapeXml | true when the tag should escape special XML characters. | true |
Usage forms
Basic form
<c:out value="foo" />
- The value foo is output as-is.
Using a variable and default replacement
<c:out value="${name}" default="foo" />
- When specifying a variable, use
${variableName}. - If the name variable is null, the default value is output instead.
Usage example
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<html>
<head>
<title><c:out> Tag Example</title>
</head>
<body>
<c:out value="${'<c:out> , &'}"/>
</body>
</html>
Result
<tag> , &
Appendix: XSS (Cross-site Scripting)
Cross-site scripting refers to cases where an attacker sends specific code to the server and an unintended program is executed. It is often JavaScript, so you must always be careful when receiving values from users and displaying them on the screen.
For example, if you receive the string <script>alert(1)</script> from a user and display it directly on the screen, an alert window will appear. If you use <c:out> to escape the string, the script language is not executed and the entered string is only displayed as text.
<c:out> is useful for XSS protection.
Variable declaration <c:set>
Attributes
| Item | Description | Required | Default |
|---|---|---|---|
| value | Information to store | body | |
| target | Variable name whose property should be modified | ||
| property | Property to modify | ||
| var | Variable name to store information in | ||
| scope | Scope of the variable that stores information | Page |
Usage forms
Basic form
<c:set var="name" value="foo" />
- Usually, only the variable name and value are commonly used.
Setting scope
<c:set var="name" value="foo" scope="request" />
- You can specify page, request, or session. If omitted, the default is page.
Changing a variable value
<c:set var="name" value="foo" />
<c:set var="name" value="hello" />
- If you declare the same existing variable name again, the last declared variable value is stored.
Usage example
<%@ taglib uri = "http://java.sun.com/jsp/jstl/core" prefix = "c" %>
<html>
<head>
<title><c:set> Tag Example</title>
</head>
<body>
<c:set var="foo" scope="session" value="Hello World"/>
<c:out value="${foo}"/>
</body>
</html>
Result
hello
Removing variables <c:remove>
This is used when you want to completely delete a variable defined through <c:set>.
Attributes
| Item | Description | Required | Default |
|---|---|---|---|
| var | Variable name to delete | Required | |
| scope | Scope of the variable to delete | All scopes |
Usage forms
Basic form
<c:remove var="name" />
Setting scope
<c:remove var="name" scope="page" />
- If scope is not specified, all variables with the same name are deleted.
Usage example
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<html>
<head>
<title><c:remove> Tag Example</title>
</head>
<body>
<c:set var="foo" value="hello" scope="session"/>
<p>Before deletion foo=<c:out value="${foo}"/></p>
<c:remove var = "foo"/>
<p>After deletion foo=<c:out value="${foo}"/></p>
</body>
</html>
Result
Before deletion foo=hello
After deletion foo=