Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / November 2007

Tip: Looking for answers? Try searching our database.

Eliminate conditions in JSP

Thread view: 
Enable EMail AlertsStart New Thread
teser3@hotmail.com - 16 Nov 2007 00:30 GMT
I have a Servlet that checks for information and if there is an issue
it forwards the message to presentation page (JSP). Now I want to stop
using conditions in scriptlets in the JSP. Please advise how I can do
it in this situation in my Tomcat 4.1.27 container:

Servlet that forwards to JSP:

...
String gotopage = "";
if(mydata == 1)
{
    gotopage = /"pager.jsp?mymessage=err";
}
else if(mydata == 34
{
  gotopage = /"pager.jsp?mymessage=duper";
}
else
{
   gotopage = /"pager.jsp?mymessage=proc";
}

RequestDispatcher dispatcher =
 getServletContext().getRequestDispatcher(gotopage);
dispatcher.forward(request, response);
...

JSP

<%
String mymessage = request.getParameter("mymessage")

if(mymessage.equals("err"))
{
    out.println("Error on the page");
}
else if(mymessage.equals("dup"))
{
    out.println("Duplicate issue.");
}
else if(mymessage.equals("proc"))
{
    out.println("Process message issue");
}
%>

I was thinking maybe a bean or regular Java class to handle this but
not sure how. Here would be my method in a Java class:

public void getMessage(String msg)
{
    if(msg.equals("err"))
    {
        out.println("Error on the page");
    }
    ...

}

Then I would put the method in a bean or what in JSP?
The Servlet would stay the same?
Reply to this Message
Arne Vajhøj - 16 Nov 2007 00:47 GMT
> I have a Servlet that checks for information and if there is an issue
> it forwards the message to presentation page (JSP). Now I want to stop
[quoted text clipped - 41 lines]
> }
> %>

Why not have the servlet store the long text in the request object
and have the JSP simply display it with a <%=whatever%> ?

Arne
Reply to this Message
teser3@hotmail.com - 16 Nov 2007 01:31 GMT
> tes...@hotmail.com wrote:
> > I have a Servlet that checks for information and if there is an issue
[quoted text clipped - 49 lines]
>
> - Show quoted text -

Thanks, I guess I dont know how I would do that?
I have showed data in JSP in the past as <%=whatever%> using a
JavaBean but not
sure how I would do that using Request object.  Can you provide any
example?
Reply to this Message
Arne Vajhøj - 16 Nov 2007 02:03 GMT
>> tes...@hotmail.com wrote:
>>> I have a Servlet that checks for information and if there is an issue
[quoted text clipped - 44 lines]
> sure how I would do that using Request object.  Can you provide any
> example?

if(mydata == 1)
{
     val = "Error on the page";
}
else if(mydata == 34
{
    val = "Duplicate issue.";
}
else
{
     val = "Process message issue";
}
request.setAttribute("whatever", val);
RequestDispatcher dispatcher =
  getServletContext().getRequestDispatcher("/pager.jsp");
dispatcher.forward(request, response);

Arne
Reply to this Message
teser3@hotmail.com - 16 Nov 2007 02:12 GMT
> tes...@hotmail.com wrote:
> >> tes...@hotmail.com wrote:
[quoted text clipped - 66 lines]
>
> - Show quoted text -

Arne,

Thanks for your time and guidance!
Reply to this Message
Greg Miller - 17 Nov 2007 15:39 GMT
> Why not have the servlet store the long text in the request object
> and have the JSP simply display it with a <%=whatever%> ?

    Note, that using this exact method exposes your website to a cross site
scripting attack (see Wikipedia for an explanation).  Before
automatically regurgitating text onto your page you need to make sure
all possible HTML is escaped.
Reply to this Message
Arne Vajhøj - 17 Nov 2007 15:44 GMT
>> Why not have the servlet store the long text in the request object
>> and have the JSP simply display it with a <%=whatever%> ?
[quoted text clipped - 3 lines]
> automatically regurgitating text onto your page you need to make sure
> all possible HTML is escaped.

No - it does not.

If you bothered reading the thread you replied to then you would
see that the values of whatever were a set of string literals and
not user input.

Arne
Reply to this Message
Greg Miller - 18 Nov 2007 02:05 GMT
> No - it does not.
>
> If you bothered reading the thread you replied to then you would
> see that the values of whatever were a set of string literals and
> not user input.

    Regardless of how it's intended to be used, obviously pointing a
browser to
pager.jsp?mymessage=&lt;script&gt;alert('xss');&lt;/script&gt; would
cause javascript to run.
Reply to this Message
Arne Vajhøj - 18 Nov 2007 02:20 GMT
>> No - it does not.
>>
[quoted text clipped - 6 lines]
> pager.jsp?mymessage=&lt;script&gt;alert('xss');&lt;/script&gt; would
> cause javascript to run.

No.

PHP in a bad setup works this way. But JSP does not and never has.

Query string variables are not automatically transferred into
request attributes or Java variables.

Arne
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.