JSP : JSTL's <c:out> tag
Solution 1:
c:out
escapes HTML characters so that you can avoid cross-site scripting.
if person.name = <script>alert("Yo")</script>
the script will be executed in the second case, but not when using c:out
Solution 2:
As said Will Wagner, in old version of jsp you should always use c:out
to output dynamic text.
Moreover, using this syntax:
<c:out value="${person.name}">No name</c:out>
you can display the text "No name" when name is null.