Are they a way to improve JSP security?

Question

Are they a way to improve JSP security?

I added JSP compilation to my project, but, nevertheless, the compiler does not check for invalid macros such as $ {object.value}, where the object does not have a getter for the value.

I am wondering if there are other ways to guide the JSP compiler (jspc) for this. I considered some options: 1. Explicitly declare an object type inside JSP (jsp: useBean?). 2. Using the construction <% =%> instead of $ {}

But none of this helped.

I would be grateful if someone shared their experience in this area.

+4

java syntax validation jsp compilation

seas Jul 11 '11 at 9:43

source share

2 answers

mindas · Answer 1 · 2011-07-11T10:12:51+0000

Use <jsp:useBean id="yourId" scope="request" type="com.blah.YourClass"/> and precompile the JSP.

Read this article for more details.

duffymo · Answer 2 · 2011-07-11T09:48:29+0000

Not unless you want to radically redesign how JSPs run.

The HTML that it creates is also not safe.

The best you can do is use Model-2 MVC, where you have servlets that work with JSP. Let the servlet worry about binding, checking, and verifying that the necessary objects fall into the page area. Pages should be display-oriented only.

The idea of the script is terrible. No one should put scriptlet code in the JSP. Learn and use JSTL.

Are they a way to improve JSP security?

More articles: