Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Eliminate conditions in JSP

Reply
Thread Tools

Eliminate conditions in JSP

 
 
teser3@hotmail.com
Guest
Posts: n/a
 
      11-16-2007
I have a Servlet that checks for information and if there is an issue
it forwards the message to presentation page (JSP). Now I want to stop
using conditions in scriptlets in the JSP. Please advise how I can do
it in this situation in my Tomcat 4.1.27 container:

Servlet that forwards to JSP:

....
String gotopage = "";
if(mydata == 1)
{
gotopage = /"pager.jsp?mymessage=err";
}
else if(mydata == 34
{
gotopage = /"pager.jsp?mymessage=duper";
}
else
{
gotopage = /"pager.jsp?mymessage=proc";
}


RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher(gotopage) ;
dispatcher.forward(request, response);
....



JSP

<%
String mymessage = request.getParameter("mymessage")

if(mymessage.equals("err"))
{
out.println("Error on the page");
}
else if(mymessage.equals("dup"))
{
out.println("Duplicate issue.");
}
else if(mymessage.equals("proc"))
{
out.println("Process message issue");
}
%>


I was thinking maybe a bean or regular Java class to handle this but
not sure how. Here would be my method in a Java class:

public void getMessage(String msg)
{
if(msg.equals("err"))
{
out.println("Error on the page");
}
...

}



Then I would put the method in a bean or what in JSP?
The Servlet would stay the same?
 
Reply With Quote
 
 
 
 
=?ISO-8859-1?Q?Arne_Vajh=F8j?=
Guest
Posts: n/a
 
      11-16-2007
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> I have a Servlet that checks for information and if there is an issue
> it forwards the message to presentation page (JSP). Now I want to stop
> using conditions in scriptlets in the JSP. Please advise how I can do
> it in this situation in my Tomcat 4.1.27 container:
>
> Servlet that forwards to JSP:
>
> ...
> String gotopage = "";
> if(mydata == 1)
> {
> gotopage = /"pager.jsp?mymessage=err";
> }
> else if(mydata == 34
> {
> gotopage = /"pager.jsp?mymessage=duper";
> }
> else
> {
> gotopage = /"pager.jsp?mymessage=proc";
> }
>
>
> RequestDispatcher dispatcher =
> getServletContext().getRequestDispatcher(gotopage) ;
> dispatcher.forward(request, response);
> ...
>
>
>
> JSP
>
> <%
> String mymessage = request.getParameter("mymessage")
>
> if(mymessage.equals("err"))
> {
> out.println("Error on the page");
> }
> else if(mymessage.equals("dup"))
> {
> out.println("Duplicate issue.");
> }
> else if(mymessage.equals("proc"))
> {
> out.println("Process message issue");
> }
> %>


Why not have the servlet store the long text in the request object
and have the JSP simply display it with a <%=whatever%> ?

Arne
 
Reply With Quote
 
 
 
 
teser3@hotmail.com
Guest
Posts: n/a
 
      11-16-2007
On Nov 15, 7:47 pm, Arne Vajh°j <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > I have a Servlet that checks for information and if there is an issue
> > it forwards the message to presentation page (JSP). Now I want to stop
> > using conditions in scriptlets in the JSP. Please advise how I can do
> > it in this situation in my Tomcat 4.1.27 container:

>
> > Servlet that forwards to JSP:

>
> > ...
> > String gotopage = "";
> > if(mydata == 1)
> > {
> > gotopage = /"pager.jsp?mymessage=err";
> > }
> > else if(mydata == 34
> > {
> > gotopage = /"pager.jsp?mymessage=duper";
> > }
> > else
> > {
> > gotopage = /"pager.jsp?mymessage=proc";
> > }

>
> > RequestDispatcher dispatcher =
> > getServletContext().getRequestDispatcher(gotopage) ;
> > dispatcher.forward(request, response);
> > ...

>
> > JSP

>
> > <%
> > String mymessage = request.getParameter("mymessage")

>
> > if(mymessage.equals("err"))
> > {
> > out.println("Error on the page");
> > }
> > else if(mymessage.equals("dup"))
> > {
> > out.println("Duplicate issue.");
> > }
> > else if(mymessage.equals("proc"))
> > {
> > out.println("Process message issue");
> > }
> > %>

>
> Why not have the servlet store the long text in the request object
> and have the JSP simply display it with a <%=whatever%> ?
>
> Arne- Hide quoted text -
>
> - Show quoted text -


Thanks, I guess I dont know how I would do that?
I have showed data in JSP in the past as <%=whatever%> using a
JavaBean but not
sure how I would do that using Request object. Can you provide any
example?
 
Reply With Quote
 
=?ISO-8859-1?Q?Arne_Vajh=F8j?=
Guest
Posts: n/a
 
      11-16-2007
(E-Mail Removed) wrote:
> On Nov 15, 7:47 pm, Arne Vajh°j <(E-Mail Removed)> wrote:
>> (E-Mail Removed) wrote:
>>> I have a Servlet that checks for information and if there is an issue
>>> it forwards the message to presentation page (JSP). Now I want to stop
>>> using conditions in scriptlets in the JSP. Please advise how I can do
>>> it in this situation in my Tomcat 4.1.27 container:
>>> Servlet that forwards to JSP:
>>> ...
>>> String gotopage = "";
>>> if(mydata == 1)
>>> {
>>> gotopage = /"pager.jsp?mymessage=err";
>>> }
>>> else if(mydata == 34
>>> {
>>> gotopage = /"pager.jsp?mymessage=duper";
>>> }
>>> else
>>> {
>>> gotopage = /"pager.jsp?mymessage=proc";
>>> }
>>> RequestDispatcher dispatcher =
>>> getServletContext().getRequestDispatcher(gotopage) ;
>>> dispatcher.forward(request, response);
>>> ...
>>> JSP
>>> <%
>>> String mymessage = request.getParameter("mymessage")
>>> if(mymessage.equals("err"))
>>> {
>>> out.println("Error on the page");
>>> }
>>> else if(mymessage.equals("dup"))
>>> {
>>> out.println("Duplicate issue.");
>>> }
>>> else if(mymessage.equals("proc"))
>>> {
>>> out.println("Process message issue");
>>> }
>>> %>

>> Why not have the servlet store the long text in the request object
>> and have the JSP simply display it with a <%=whatever%> ?

>
> Thanks, I guess I dont know how I would do that?
> I have showed data in JSP in the past as <%=whatever%> using a
> JavaBean but not
> sure how I would do that using Request object. Can you provide any
> example?


if(mydata == 1)
{
val = "Error on the page";
}
else if(mydata == 34
{
val = "Duplicate issue.";
}
else
{
val = "Process message issue";
}
request.setAttribute("whatever", val);
RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher("/pager.jsp");
dispatcher.forward(request, response);

Arne
 
Reply With Quote
 
teser3@hotmail.com
Guest
Posts: n/a
 
      11-16-2007
On Nov 15, 9:03 pm, Arne Vajh°j <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > On Nov 15, 7:47 pm, Arne Vajh°j <(E-Mail Removed)> wrote:
> >> (E-Mail Removed) wrote:
> >>> I have a Servlet that checks for information and if there is an issue
> >>> it forwards the message to presentation page (JSP). Now I want to stop
> >>> using conditions in scriptlets in the JSP. Please advise how I can do
> >>> it in this situation in my Tomcat 4.1.27 container:
> >>> Servlet that forwards to JSP:
> >>> ...
> >>> String gotopage = "";
> >>> if(mydata == 1)
> >>> {
> >>> gotopage = /"pager.jsp?mymessage=err";
> >>> }
> >>> else if(mydata == 34
> >>> {
> >>> gotopage = /"pager.jsp?mymessage=duper";
> >>> }
> >>> else
> >>> {
> >>> gotopage = /"pager.jsp?mymessage=proc";
> >>> }
> >>> RequestDispatcher dispatcher =
> >>> getServletContext().getRequestDispatcher(gotopage) ;
> >>> dispatcher.forward(request, response);
> >>> ...
> >>> JSP
> >>> <%
> >>> String mymessage = request.getParameter("mymessage")
> >>> if(mymessage.equals("err"))
> >>> {
> >>> out.println("Error on the page");
> >>> }
> >>> else if(mymessage.equals("dup"))
> >>> {
> >>> out.println("Duplicate issue.");
> >>> }
> >>> else if(mymessage.equals("proc"))
> >>> {
> >>> out.println("Process message issue");
> >>> }
> >>> %>
> >> Why not have the servlet store the long text in the request object
> >> and have the JSP simply display it with a <%=whatever%> ?

>
> > Thanks, I guess I dont know how I would do that?
> > I have showed data in JSP in the past as <%=whatever%> using a
> > JavaBean but not
> > sure how I would do that using Request object. Can you provide any
> > example?

>
> if(mydata == 1)
> {
> val = "Error on the page";}
>
> else if(mydata == 34
> {
> val = "Duplicate issue.";}
>
> else
> {
> val = "Process message issue";}
>
> request.setAttribute("whatever", val);
> RequestDispatcher dispatcher =
> getServletContext().getRequestDispatcher("/pager.jsp");
> dispatcher.forward(request, response);
>
> Arne- Hide quoted text -
>
> - Show quoted text -


Arne,

Thanks for your time and guidance!
 
Reply With Quote
 
Greg Miller
Guest
Posts: n/a
 
      11-17-2007
Arne Vajh°j wrote:

> Why not have the servlet store the long text in the request object
> and have the JSP simply display it with a <%=whatever%> ?


Note, that using this exact method exposes your website to a cross site
scripting attack (see Wikipedia for an explanation). Before
automatically regurgitating text onto your page you need to make sure
all possible HTML is escaped.
 
Reply With Quote
 
=?ISO-8859-1?Q?Arne_Vajh=F8j?=
Guest
Posts: n/a
 
      11-17-2007
Greg Miller wrote:
> Arne Vajh°j wrote:
>> Why not have the servlet store the long text in the request object
>> and have the JSP simply display it with a <%=whatever%> ?

>
> Note, that using this exact method exposes your website to a cross
> site scripting attack (see Wikipedia for an explanation). Before
> automatically regurgitating text onto your page you need to make sure
> all possible HTML is escaped.


No - it does not.

If you bothered reading the thread you replied to then you would
see that the values of whatever were a set of string literals and
not user input.

Arne
 
Reply With Quote
 
Greg Miller
Guest
Posts: n/a
 
      11-18-2007
Arne Vajh°j wrote:

> No - it does not.
>
> If you bothered reading the thread you replied to then you would
> see that the values of whatever were a set of string literals and
> not user input.


Regardless of how it's intended to be used, obviously pointing a
browser to
pager.jsp?mymessage=&lt;script&gt;alert('xss');&lt ;/script&gt; would
cause javascript to run.
 
Reply With Quote
 
Arne Vajh°j
Guest
Posts: n/a
 
      11-18-2007
Greg Miller wrote:
> Arne Vajh°j wrote:
>> No - it does not.
>>
>> If you bothered reading the thread you replied to then you would
>> see that the values of whatever were a set of string literals and
>> not user input.

>
> Regardless of how it's intended to be used, obviously pointing a
> browser to
> pager.jsp?mymessage=&lt;script&gt;alert('xss');&lt ;/script&gt; would
> cause javascript to run.


No.

PHP in a bad setup works this way. But JSP does not and never has.

Query string variables are not automatically transferred into
request attributes or Java variables.

Arne


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[JSP] difference between jsp:forward and jsp:include alexjaquet@gmail.com Java 0 06-02-2006 01:21 PM
eliminate concurrent statement Aji VHDL 2 01-04-2006 04:45 PM
Eliminate postback flicker WITHOUT smartnav ujjc001 ASP .Net 8 01-05-2005 12:53 PM
How can I eliminate "Glitch"? Jluis VHDL 5 05-12-2004 07:59 PM
DropDown List eliminate intermediate spaces Lucas Campos ASP .Net 11 11-11-2003 04:45 PM



Advertisments