Are JSP expressions evaluated inside HTML comments of a JSP page? - html

Are JSP expressions evaluated inside HTML comments of a JSP page?
i.e What would server output in this case?
<!--
Jeremy <%="Flowers"%>
-->
Will the expression be resolved or will it remain as an expression in the HTML comment
a)
<!--
Jeremy <%="Flowers"%>
-->
or b)
<!--
Jeremy Flowers
-->

Yes, the expressions will be resolved. The JSP page doesn't even know it is writing in HTML format, so it doesn't interpret anything HTML-specific.
You can also write plain text using JSP, or JSON, or whatever you like.

Those are html comments, not jsp comments. So, all jsp code inside is still evaluated.
There's also jsp-specific way to comment content: <%-– ... -–%>. Content inside won't be evaluated by the server and won't be passed to the browser. So, it acts as html comment too.

you can even use HTML comments to hide evaluated results from jsp expressions partially when the page is rendered to the browser.
e.g.
`${empty requestScope.errors? "" : "<p id='errors'>Error(s)!
<ul>"}
<!--${requestScope.errors.stream().map(x -> "-->
<li>"x"</li>
<!--").toList()}-->
${empty requestScope.errors? "" : "</ul></p>"}`
the local variable x from requestScope.errors.stream().map(x->) is still evaluated and passed to <li>"+=x+="</li>
output:
` Error(s)!
Product must have a nameProduct must have a price`
if the expressions are not in HTML comment tag, the "[]" symbol will appear due to .toList()
output without HTML tag:
`Error(s)!
[Product must have a nameProduct must have a price]`

Related

Is there a non-javascript/PHP way to write sample code that won't get evaluated? [duplicate]

I use the <pre> tag in my blog to post code. I know I have to change < to < and > to >. Are any other characters I need to escape for correct html?
What happens if you use the <pre> tag to display HTML markup on your blog:
<pre>Use a <span style="background: yellow;">span tag with style attribute</span> to hightlight words</pre>
This will pass HTML validation, but does it produce the expected result? No. The correct way is:
<pre>Use a <span style="background: yellow;">span tag with style attribute</span> to hightlight words</pre>
Another example: if you use the pre tag to display some other language code, the HTML encoding is still required:
<pre>if (i && j) return;</pre>
This might produce the expected result but does it pass HTML validation? No. The correct way is:
<pre>if (i && j) return;</pre>
Long story short, HTML-encode the content of a pre tag just the way you do with other tags.
TL;DR
PHP: htmlspecialchars($html);
JavaScript(JS): Element.innerText = "<html>...";
Note that <pre> is just for styles, so you have to escape ALL HTML.
Only For You HTML "fossil"s: using <xmp> tag
This is not well known, but it really does exist and even chrome still supports it, however using a pair of <xmp> tag is NOT recommended to be relied on - it's just for you HTML fossils, but it's a very simple way to handle your personal content, e.g. DOCS. Even the w3.org Wiki says in its example: "No, really. don't use it."
You can put ANY HTML (excluding </xmp> end tag) inside <xmp></xmp>
<xmp>
<html> <br> just any other html tags...
</xmp>
The proper version
Proper version could be considered to be HTML stored as a STRING and displayed with the help of some escaping function/mechanism.
Just remember one thing - the strings in C-like languages are usually written between single quotes or double quotes - if you wrap your string in double => you should escape doubles (probably with \), if you wrap your string in single => escape singles (probably with \)...
The most frequent - Server-side language escaping (ex. in PHP)
Server-side scripting languages often have some built-in function to escape HTML.
<?php
$html = "<html> <br> or just any other HTML"; //store html
echo htmlspecialchars($html); //display escaped html
?>
Note that in PHP 8.1 there was a change so you no longer have to specify ENT_QUOTES flag:
flags changed from ENT_COMPAT to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.
The client-side way (example in JavaScript / JS&jQuery)
Similar approach as on server-side is achievable in client-side scripts.
Pure JavaScript
There is no function, but there is the default behavior, if you set element's innerText or node's textContent:
document.querySelector('.myTest').innerText = "<html><head>...";
document.querySelector('.myTest').textContent = "<html><head>...";
HTMLElement.innerText and Node.textContent are not the same thing! You can find out more about the difference in the MDN doc links above
jQuery (a JS library)
jQuery has $jqueryEl.text() for this purpose:
$('.mySomething .test').text("<html><head></head><body class=\"test\">...");
Just remember the same thing as for server-side - in C-like languages, escape the quotes you've wrapped your string in.
For posting code within your markup, I suggest using the <code> tag. It works the same way as pre but would be considered semantically correct.
Otherwise, <code> and <pre> only need the angle brackets encoded.
Use this and don't worry about any of them.
<pre>
${fn:escapeXml('
<!-- all your code -->
')};
</pre>
You'll need to have jQuery enabled for it to work.

Difference between ngInclude and ngBindHtml

What is the difference between ng-include and ng-bind-html in angular??
imagine a case when based on some parameters the html will change rather to be for example an image tag or span tag; so There should be a mechanism to add that dynamic html
for example
<!--dynamichtml : <span class='glyphicon glyphicon-plus'></span>-->
<a ng-include="'dynamichtml.html'"></a>
<a ng-bind-html="dynamichtml"></a>
ng-bind-html is described as follows:
Evaluates the expression and inserts the resulting HTML into the element[...]
ng-include, on the other hand
Fetches, compiles and includes an external HTML fragment.
The value in ng-bind-html should evaluate to valid HTML. The value in ng-include should evaluate to a valid URL.
ng-bind-html
ng-bind-html is used when one has a model that contains HTML in the string format. On binding the model with that of the DOM, this gets updated in the element, as its child.
ng-include
This adds an external html file in the DOM. Here, it doesn't gets bind, but only gets attached.
It depends upon the application and the model states, based on which one can decide with which directive to make use of.
Here, you can read more about ng-bind-html and ng-include.

MVC4 using sections to include javascript

I am working on an asp.net MVC4 application. In my layout page, I have the following code
#RenderSection("page-specific", required: false)
and In my view which uses the above layout, I have
#section page-specific{
<script src="~/Scripts/page-specific.js" type="text/javascript"></script>
}
When I run my application, it gives me the following error
Sections cannot be empty. The "#section" keyword must be followed by a block of markup surrounded by "{}"
But all I want to do is include some page specific styles and javascript. I dont want to include any HTML markup in this particular section. How can I do this while avoiding the empty section error?
Try naming it pageSpecific. I haven't tried using a hyphen in a section name before, but I have a feeling mvc might not like that.

Are the tags/comments in HTML auto-corrected by browsers?

Instead of
<!--
,
I used
<!-
...and it is working.
How?
It's not actually working - it's just interpreting it as an actual tag, and then throwing that tag out as invalid.
<!- foo bar -->
is treated as a tag, <!-foo bar--> which obviously isn't a standard HTML tag, and thus is ignored.
Try this, and you'll see it's not truly working as a comment:
<!- >foo bar-->
Modern browser parsers (i.e. those that use the HTML5 parsing algorithm) work like this. If they are expecting text or a new tag next, and they see <! then they check the next few characters to see if they are -- or DOCTYPE or, if they are processing embedded SVG or MathML, [CDATA[. (See http://dev.w3.org/html5/spec/tokenization.html#markup-declaration-open-state)
If, as in the case of <!- foo, none of these match then the parser enters the bogus comment state where all the characters following, up to the next >, are read and and converted into a comment to be put into the DOM.
Hence the behaviour you see with <!- working like a comment start. Note that such behaviour is "repair" behaviour for broken markup and it's wise not to rely on it.
You can see how such markup forms a DOM here: Live DOM Viewer
Also note that this is different to what #Amber says. It is not treated as a tag in any meaningful sense, and it is certainly not ignored.

Emit raw html in ASP page?

This is extremely aggravating. I just want to simply insert raw html. I can't use the literal control because there's no ignoring the quote character. I don't want to use a script element because I'm adding it in a ascx file. I just want raw html output. Is there no operater for this?
I've properbly misunderstood you completely but:
In Classic ASP it is:
<%=("<div style=""color:red;"">html</div>")%>
output:
<div style="color:red;">html</div>