we are having some issue with JSTL Taglib below since sometimes are showed in the browser even if input type is declared "hidden"
<c:forEach var="homeDesc" items="${homeDescBean.homeCategories}">
<input type="hidden" id='${homeDesc.category}'value='${homeDesc.title}_${homeDesc.experience}_${homeDesc.description}' />
</c:forEach>
looking at the generated HTML we see:
<input type="hidden" id="O2" value="VALUE 16 mq.">
<input type="hidden" id="S3" value="VALUE_VALUE_<br /><div xmlns=" http:="" www.w3.org="" 1999="" xhtml'="">
VALUE THAT SHOULD BE HIDDEN</div>
please notice that the the <br /><div...
does not come from our code and is generated from some reason by JSTL.
You have a slew of quotes in that value, which is making it break from the quotes around value="". You need to replace the quotes with the HTML entity. You would do the replacement in the controller, set this is the request attribute, and use JSTL.
In the controller:
String str = "VALUE_VALUE_<br /><div xmlns=\" http:=\"\" www.w3.org=\"\" 1999=\"\" xhtml'=\"\">\nVALUE THAT SHOULD BE HIDDEN</div>";
str = str.replaceAll("\"", """);
request.setAttribute("htmlsnippet", str);
request.getRequestDispatcher("/WEB-INF/show.jsp").forward(request, response);
In the JSP:
<c:out value="${htmlsnippet}" />
EDIT: But sending hardcoded HTML/XML to the server in a hidden input is a bad idea. You're going to have to validate it again on the server-side, so you might as well leave it in the back-end entirely. Putting it in a hidden input and sending it back to the server gives the user the chance to alter it.