How to disable scripting elements in JSP pages?

By Wayan in JSP 0 Comment

With the introduction of Expression Language in JSP 2.0 it is recommended to use the EL instead of using a scripting elements / scriptlets. That means if we want to access a server-side objects it is recommended to use EL then to write some Java codes in the JSP pages.

For this purpose in JSP 2.0 we are given a feature to disable the scripting elements by defining a scripting-invalid element within the <jsp-property-group> in the deployment descriptor (web.xml) file.

Here is the JSP configuration that you need to add in the web.xml file:

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
         version="4.0">
    <display-name>JSP Examples</display-name>

    <jsp-config>
        <jsp-property-group>
            <url-pattern>*.jsp</url-pattern>
            <scripting-invalid>true</scripting-invalid>
        </jsp-property-group>
    </jsp-config>
</web-app>

When you try to request a JSP page that have a scripting elements in, it will give you an error message like this:

HTTP Status 500 - /sessionWriteRead.jsp (line: 10, column: 2) Scripting elements ( <%!, <jsp:declaration, <%=, <jsp:expression, <%, <jsp:scriptlet ) are disallowed here.

What are the scripting elements in JSP page?

By Wayan in JSP 0 Comment

There are three types of scripting elements available when writing a JSP page. These scripting elements includes:

  • Scriptlets which is a block of Java code.
  • Expression that can be evaluated and the result is printed out.
  • Declarations can be used to declares variables or methods.

Scriptlets

A scriptlets is a block of Java code that begins with <% and closed by %>. We can have multiple block of scriptlets inside a JSP page. The following example show you how to write a scriptlets:

<%@ page import="java.text.DateFormat" %>
<%@ page import="java.text.SimpleDateFormat" %>
<%@ page import="java.util.Date" %>
<%@ page import="java.util.Calendar" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<!DOCTYPE html>
<html>
<head>
    <title>JSP - Scripting Scriptlets</title>
</head>
<body>
<%
    DateFormat formatter = new SimpleDateFormat("EEE, dd/MM/yyyy HH:mm:ss");
    out.print(formatter.format(new Date()));
%>
<br/>
<%
    Calendar calendar = Calendar.getInstance();
    out.print(formatter.format(calendar.getTime()));
%>
</body>
</html>

In the scriptlets above we can use the formatter object on the first scriplet to be used in the second scriptlet. Any objects or variables declared in the first scriptlet is available on the second scriptlet.

Expression

To create an expression in JSP we can use the <%= and closed by the %>. The expression in this kind of block will be evaluated and the value is printed out as the JSP page output. We can say that the expression block is a shortcut for the out.print() method in JSP page. You also notice that an expression doesn’t end with a semicolon.

Here is an example of expression in JSP page:

<%@ page import="java.util.Date" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<!DOCTYPE html>
<html>
<head>
    <title>JSP - Scripting Expressions</title>
</head>
<body>
Today is: <%= new Date() %><br/>
Session Id: <%= session.getId() %><br/>

<%--The above expression is equals with the following scriptlets--%>

Today is: <% out.print(new Date()); %><br/>
Session Id: <% out.print(session.getId()); %>
</body>
</html>

Declarations

The last scripting elements is this declarations. The declarations elements starts with a <%! and ends with %>. We can use this block to declare variables and methods that can be used in a JSP page. Let’s see an example below:

<%@ page import="java.util.Date" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<!DOCTYPE html>
<%!
    public int add(int number1, int number2) {
        return number1 + number2;
    }

    public Date getDate() {
        return new Date();
    }
%>
<html>
<head>
    <title>JSP Declarations</title>
</head>
<body>
Today is: <%= getDate() %><br/>
20 + 10 = <%= add(20, 10) %>
</body>
</html>