Eliminate conditions in JSP

Discussion in 'Java' started by teser3@hotmail.com, Nov 16, 2007.

  1. Guest

    I have a Servlet that checks for information and if there is an issue
    it forwards the message to presentation page (JSP). Now I want to stop
    using conditions in scriptlets in the JSP. Please advise how I can do
    it in this situation in my Tomcat 4.1.27 container:

    Servlet that forwards to JSP:

    ....
    String gotopage = "";
    if(mydata == 1)
    {
    gotopage = /"pager.jsp?mymessage=err";
    }
    else if(mydata == 34
    {
    gotopage = /"pager.jsp?mymessage=duper";
    }
    else
    {
    gotopage = /"pager.jsp?mymessage=proc";
    }


    RequestDispatcher dispatcher =
    getServletContext().getRequestDispatcher(gotopage);
    dispatcher.forward(request, response);
    ....



    JSP

    <%
    String mymessage = request.getParameter("mymessage")

    if(mymessage.equals("err"))
    {
    out.println("Error on the page");
    }
    else if(mymessage.equals("dup"))
    {
    out.println("Duplicate issue.");
    }
    else if(mymessage.equals("proc"))
    {
    out.println("Process message issue");
    }
    %>


    I was thinking maybe a bean or regular Java class to handle this but
    not sure how. Here would be my method in a Java class:

    public void getMessage(String msg)
    {
    if(msg.equals("err"))
    {
    out.println("Error on the page");
    }
    ...

    }



    Then I would put the method in a bean or what in JSP?
    The Servlet would stay the same?
    , Nov 16, 2007
    #1
    1. Advertising

  2. wrote:
    > I have a Servlet that checks for information and if there is an issue
    > it forwards the message to presentation page (JSP). Now I want to stop
    > using conditions in scriptlets in the JSP. Please advise how I can do
    > it in this situation in my Tomcat 4.1.27 container:
    >
    > Servlet that forwards to JSP:
    >
    > ...
    > String gotopage = "";
    > if(mydata == 1)
    > {
    > gotopage = /"pager.jsp?mymessage=err";
    > }
    > else if(mydata == 34
    > {
    > gotopage = /"pager.jsp?mymessage=duper";
    > }
    > else
    > {
    > gotopage = /"pager.jsp?mymessage=proc";
    > }
    >
    >
    > RequestDispatcher dispatcher =
    > getServletContext().getRequestDispatcher(gotopage);
    > dispatcher.forward(request, response);
    > ...
    >
    >
    >
    > JSP
    >
    > <%
    > String mymessage = request.getParameter("mymessage")
    >
    > if(mymessage.equals("err"))
    > {
    > out.println("Error on the page");
    > }
    > else if(mymessage.equals("dup"))
    > {
    > out.println("Duplicate issue.");
    > }
    > else if(mymessage.equals("proc"))
    > {
    > out.println("Process message issue");
    > }
    > %>


    Why not have the servlet store the long text in the request object
    and have the JSP simply display it with a <%=whatever%> ?

    Arne
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Nov 16, 2007
    #2
    1. Advertising

  3. Guest

    On Nov 15, 7:47 pm, Arne Vajhøj <> wrote:
    > wrote:
    > > I have a Servlet that checks for information and if there is an issue
    > > it forwards the message to presentation page (JSP). Now I want to stop
    > > using conditions in scriptlets in the JSP. Please advise how I can do
    > > it in this situation in my Tomcat 4.1.27 container:

    >
    > > Servlet that forwards to JSP:

    >
    > > ...
    > > String gotopage = "";
    > > if(mydata == 1)
    > > {
    > > gotopage = /"pager.jsp?mymessage=err";
    > > }
    > > else if(mydata == 34
    > > {
    > > gotopage = /"pager.jsp?mymessage=duper";
    > > }
    > > else
    > > {
    > > gotopage = /"pager.jsp?mymessage=proc";
    > > }

    >
    > > RequestDispatcher dispatcher =
    > > getServletContext().getRequestDispatcher(gotopage);
    > > dispatcher.forward(request, response);
    > > ...

    >
    > > JSP

    >
    > > <%
    > > String mymessage = request.getParameter("mymessage")

    >
    > > if(mymessage.equals("err"))
    > > {
    > > out.println("Error on the page");
    > > }
    > > else if(mymessage.equals("dup"))
    > > {
    > > out.println("Duplicate issue.");
    > > }
    > > else if(mymessage.equals("proc"))
    > > {
    > > out.println("Process message issue");
    > > }
    > > %>

    >
    > Why not have the servlet store the long text in the request object
    > and have the JSP simply display it with a <%=whatever%> ?
    >
    > Arne- Hide quoted text -
    >
    > - Show quoted text -


    Thanks, I guess I dont know how I would do that?
    I have showed data in JSP in the past as <%=whatever%> using a
    JavaBean but not
    sure how I would do that using Request object. Can you provide any
    example?
    , Nov 16, 2007
    #3
  4. wrote:
    > On Nov 15, 7:47 pm, Arne Vajhøj <> wrote:
    >> wrote:
    >>> I have a Servlet that checks for information and if there is an issue
    >>> it forwards the message to presentation page (JSP). Now I want to stop
    >>> using conditions in scriptlets in the JSP. Please advise how I can do
    >>> it in this situation in my Tomcat 4.1.27 container:
    >>> Servlet that forwards to JSP:
    >>> ...
    >>> String gotopage = "";
    >>> if(mydata == 1)
    >>> {
    >>> gotopage = /"pager.jsp?mymessage=err";
    >>> }
    >>> else if(mydata == 34
    >>> {
    >>> gotopage = /"pager.jsp?mymessage=duper";
    >>> }
    >>> else
    >>> {
    >>> gotopage = /"pager.jsp?mymessage=proc";
    >>> }
    >>> RequestDispatcher dispatcher =
    >>> getServletContext().getRequestDispatcher(gotopage);
    >>> dispatcher.forward(request, response);
    >>> ...
    >>> JSP
    >>> <%
    >>> String mymessage = request.getParameter("mymessage")
    >>> if(mymessage.equals("err"))
    >>> {
    >>> out.println("Error on the page");
    >>> }
    >>> else if(mymessage.equals("dup"))
    >>> {
    >>> out.println("Duplicate issue.");
    >>> }
    >>> else if(mymessage.equals("proc"))
    >>> {
    >>> out.println("Process message issue");
    >>> }
    >>> %>

    >> Why not have the servlet store the long text in the request object
    >> and have the JSP simply display it with a <%=whatever%> ?

    >
    > Thanks, I guess I dont know how I would do that?
    > I have showed data in JSP in the past as <%=whatever%> using a
    > JavaBean but not
    > sure how I would do that using Request object. Can you provide any
    > example?


    if(mydata == 1)
    {
    val = "Error on the page";
    }
    else if(mydata == 34
    {
    val = "Duplicate issue.";
    }
    else
    {
    val = "Process message issue";
    }
    request.setAttribute("whatever", val);
    RequestDispatcher dispatcher =
    getServletContext().getRequestDispatcher("/pager.jsp");
    dispatcher.forward(request, response);

    Arne
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Nov 16, 2007
    #4
  5. Guest

    On Nov 15, 9:03 pm, Arne Vajhøj <> wrote:
    > wrote:
    > > On Nov 15, 7:47 pm, Arne Vajhøj <> wrote:
    > >> wrote:
    > >>> I have a Servlet that checks for information and if there is an issue
    > >>> it forwards the message to presentation page (JSP). Now I want to stop
    > >>> using conditions in scriptlets in the JSP. Please advise how I can do
    > >>> it in this situation in my Tomcat 4.1.27 container:
    > >>> Servlet that forwards to JSP:
    > >>> ...
    > >>> String gotopage = "";
    > >>> if(mydata == 1)
    > >>> {
    > >>> gotopage = /"pager.jsp?mymessage=err";
    > >>> }
    > >>> else if(mydata == 34
    > >>> {
    > >>> gotopage = /"pager.jsp?mymessage=duper";
    > >>> }
    > >>> else
    > >>> {
    > >>> gotopage = /"pager.jsp?mymessage=proc";
    > >>> }
    > >>> RequestDispatcher dispatcher =
    > >>> getServletContext().getRequestDispatcher(gotopage);
    > >>> dispatcher.forward(request, response);
    > >>> ...
    > >>> JSP
    > >>> <%
    > >>> String mymessage = request.getParameter("mymessage")
    > >>> if(mymessage.equals("err"))
    > >>> {
    > >>> out.println("Error on the page");
    > >>> }
    > >>> else if(mymessage.equals("dup"))
    > >>> {
    > >>> out.println("Duplicate issue.");
    > >>> }
    > >>> else if(mymessage.equals("proc"))
    > >>> {
    > >>> out.println("Process message issue");
    > >>> }
    > >>> %>
    > >> Why not have the servlet store the long text in the request object
    > >> and have the JSP simply display it with a <%=whatever%> ?

    >
    > > Thanks, I guess I dont know how I would do that?
    > > I have showed data in JSP in the past as <%=whatever%> using a
    > > JavaBean but not
    > > sure how I would do that using Request object. Can you provide any
    > > example?

    >
    > if(mydata == 1)
    > {
    > val = "Error on the page";}
    >
    > else if(mydata == 34
    > {
    > val = "Duplicate issue.";}
    >
    > else
    > {
    > val = "Process message issue";}
    >
    > request.setAttribute("whatever", val);
    > RequestDispatcher dispatcher =
    > getServletContext().getRequestDispatcher("/pager.jsp");
    > dispatcher.forward(request, response);
    >
    > Arne- Hide quoted text -
    >
    > - Show quoted text -


    Arne,

    Thanks for your time and guidance!
    , Nov 16, 2007
    #5
  6. Greg Miller Guest

    Arne Vajhøj wrote:

    > Why not have the servlet store the long text in the request object
    > and have the JSP simply display it with a <%=whatever%> ?


    Note, that using this exact method exposes your website to a cross site
    scripting attack (see Wikipedia for an explanation). Before
    automatically regurgitating text onto your page you need to make sure
    all possible HTML is escaped.
    Greg Miller, Nov 17, 2007
    #6
  7. Greg Miller wrote:
    > Arne Vajhøj wrote:
    >> Why not have the servlet store the long text in the request object
    >> and have the JSP simply display it with a <%=whatever%> ?

    >
    > Note, that using this exact method exposes your website to a cross
    > site scripting attack (see Wikipedia for an explanation). Before
    > automatically regurgitating text onto your page you need to make sure
    > all possible HTML is escaped.


    No - it does not.

    If you bothered reading the thread you replied to then you would
    see that the values of whatever were a set of string literals and
    not user input.

    Arne
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Nov 17, 2007
    #7
  8. Greg Miller Guest

    Arne Vajhøj wrote:

    > No - it does not.
    >
    > If you bothered reading the thread you replied to then you would
    > see that the values of whatever were a set of string literals and
    > not user input.


    Regardless of how it's intended to be used, obviously pointing a
    browser to
    pager.jsp?mymessage=&lt;script&gt;alert('xss');&lt;/script&gt; would
    cause javascript to run.
    Greg Miller, Nov 18, 2007
    #8
  9. Arne Vajhøj Guest

    Greg Miller wrote:
    > Arne Vajhøj wrote:
    >> No - it does not.
    >>
    >> If you bothered reading the thread you replied to then you would
    >> see that the values of whatever were a set of string literals and
    >> not user input.

    >
    > Regardless of how it's intended to be used, obviously pointing a
    > browser to
    > pager.jsp?mymessage=&lt;script&gt;alert('xss');&lt;/script&gt; would
    > cause javascript to run.


    No.

    PHP in a bad setup works this way. But JSP does not and never has.

    Query string variables are not automatically transferred into
    request attributes or Java variables.

    Arne
    Arne Vajhøj, Nov 18, 2007
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jluis
    Replies:
    5
    Views:
    1,021
    Ray Andraka
    May 12, 2004
  2. Aji
    Replies:
    2
    Views:
    2,159
  3. Lucas Campos

    DropDown List eliminate intermediate spaces

    Lucas Campos, Nov 4, 2003, in forum: ASP .Net
    Replies:
    11
    Views:
    757
    keyur shah
    Nov 11, 2003
  4. ujjc001
    Replies:
    8
    Views:
    4,421
    Jason
    Jan 5, 2005
  5. Replies:
    0
    Views:
    4,357
Loading...

Share This Page