1. First of all, the expressions that use the output content in jsp
2. When c:out is output, the <c:out> tag will automatically ignore the XML markup characters, so they will not be treated as tags, because there is an attribute value escapeXml, the default is true to ignore the special characters of xml, That is, output whatever content is, without escaping to other content, for example: when there is a cross-domain attackstudent.name = <script>alert("hello world!")</script>,${student.name}将会执行,而c:out则不会,直接输出字符串。
3. When ${} is output, the characters will be escaped and js will be executed
4. c:out has a default attribute escapeXML="true" that will escape special characters such as '<' '>' '&', and EL expressionswill not. But if it is false, it is consistent with the effect of ${}
Among them, there is one place to pay attention to:
When using springmvc form, sf:input, c:out does not work, c:out is directly output as part of the string, so it needs to be changed to native input