Eliminate conditions in JSP

teser3 · Nov 16, 2007

I have a Servlet that checks for information and if there is an issue
it forwards the message to presentation page (JSP). Now I want to stop
using conditions in scriptlets in the JSP. Please advise how I can do
it in this situation in my Tomcat 4.1.27 container:

Servlet that forwards to JSP:

....
String gotopage = "";
if(mydata == 1)
{
gotopage = /"pager.jsp?mymessage=err";
}
else if(mydata == 34
{
gotopage = /"pager.jsp?mymessage=duper";
}
else
{
gotopage = /"pager.jsp?mymessage=proc";
}

RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher(gotopage);
dispatcher.forward(request, response);
....

JSP

<%
String mymessage = request.getParameter("mymessage")

if(mymessage.equals("err"))
{
out.println("Error on the page");
}
else if(mymessage.equals("dup"))
{
out.println("Duplicate issue.");
}
else if(mymessage.equals("proc"))
{
out.println("Process message issue");
}
%>

I was thinking maybe a bean or regular Java class to handle this but
not sure how. Here would be my method in a Java class:

public void getMessage(String msg)
{
if(msg.equals("err"))
{
out.println("Error on the page");
}
...

}

Then I would put the method in a bean or what in JSP?
The Servlet would stay the same?

=?ISO-8859-1?Q?Arne_Vajh=F8j?= · Nov 16, 2007

I have a Servlet that checks for information and if there is an issue
it forwards the message to presentation page (JSP). Now I want to stop
using conditions in scriptlets in the JSP. Please advise how I can do
it in this situation in my Tomcat 4.1.27 container:

Servlet that forwards to JSP:

...
String gotopage = "";
if(mydata == 1)
{
gotopage = /"pager.jsp?mymessage=err";
}
else if(mydata == 34
{
gotopage = /"pager.jsp?mymessage=duper";
}
else
{
gotopage = /"pager.jsp?mymessage=proc";
}

RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher(gotopage);
dispatcher.forward(request, response);
...

JSP

<%
String mymessage = request.getParameter("mymessage")

if(mymessage.equals("err"))
{
out.println("Error on the page");
}
else if(mymessage.equals("dup"))
{
out.println("Duplicate issue.");
}
else if(mymessage.equals("proc"))
{
out.println("Process message issue");
}
%>

Why not have the servlet store the long text in the request object
and have the JSP simply display it with a <%=whatever%> ?

Arne

teser3 · Nov 16, 2007

Why not have the servlet store the long text in the request object
and have the JSP simply display it with a <%=whatever%> ?

Arne- Hide quoted text -

- Show quoted text -

Thanks, I guess I dont know how I would do that?
I have showed data in JSP in the past as <%=whatever%> using a
JavaBean but not
sure how I would do that using Request object. Can you provide any
example?

=?ISO-8859-1?Q?Arne_Vajh=F8j?= · Nov 16, 2007

Thanks, I guess I dont know how I would do that?
I have showed data in JSP in the past as <%=whatever%> using a
JavaBean but not
sure how I would do that using Request object. Can you provide any
example?

if(mydata == 1)
{
val = "Error on the page";
}
else if(mydata == 34
{
val = "Duplicate issue.";
}
else
{
val = "Process message issue";
}
request.setAttribute("whatever", val);
RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher("/pager.jsp");
dispatcher.forward(request, response);

Arne

teser3 · Nov 16, 2007

if(mydata == 1)
{
val = "Error on the page";}

else if(mydata == 34
{
val = "Duplicate issue.";}

else
{
val = "Process message issue";}

request.setAttribute("whatever", val);
RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher("/pager.jsp");
dispatcher.forward(request, response);

Arne- Hide quoted text -

- Show quoted text -

Arne,

Thanks for your time and guidance!

Greg Miller · Nov 17, 2007

Arne said:
Why not have the servlet store the long text in the request object
and have the JSP simply display it with a <%=whatever%> ?

Note, that using this exact method exposes your website to a cross site
scripting attack (see Wikipedia for an explanation). Before
automatically regurgitating text onto your page you need to make sure
all possible HTML is escaped.

=?ISO-8859-1?Q?Arne_Vajh=F8j?= · Nov 17, 2007

Greg said:
Note, that using this exact method exposes your website to a cross
site scripting attack (see Wikipedia for an explanation). Before
automatically regurgitating text onto your page you need to make sure
all possible HTML is escaped.

No - it does not.

If you bothered reading the thread you replied to then you would
see that the values of whatever were a set of string literals and
not user input.

Arne

Greg Miller · Nov 18, 2007

Arne said:
No - it does not.

If you bothered reading the thread you replied to then you would
see that the values of whatever were a set of string literals and
not user input.

Regardless of how it's intended to be used, obviously pointing a
browser to
pager.jsp?mymessage=<script>alert('xss');</script> would
cause javascript to run.

Arne Vajhøj · Nov 18, 2007

Greg said:
Regardless of how it's intended to be used, obviously pointing a
browser to
pager.jsp?mymessage=<script>alert('xss');</script> would
cause javascript to run.

No.

PHP in a bad setup works this way. But JSP does not and never has.

Query string variables are not automatically transferred into
request attributes or Java variables.

Arne

Using redirect instead of forward	0	Jun 9, 2008
Using redirect instead of forward	0	Jun 9, 2008
Using redirect instead of forward	2	Jun 9, 2008
servlets and jsp doubt	10	Apr 13, 2010
Image Upload in jsp or servlet	0	Nov 16, 2011
NPE in Servlet	3	Apr 19, 2010
cactus and servlet redirection	0	May 19, 2011
Posting data from .jsp to execute( ) method	2	Oct 13, 2009

Eliminate conditions in JSP

teser3

=?ISO-8859-1?Q?Arne_Vajh=F8j?=

teser3

=?ISO-8859-1?Q?Arne_Vajh=F8j?=

teser3

Greg Miller

=?ISO-8859-1?Q?Arne_Vajh=F8j?=

Greg Miller

Arne Vajhøj

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads