JSP is dead, long live JSP (or, EL and tag injection)

12 Feb 2004

I gave a presentation to the local JUG last night, titled "JSP is dead; long live JSP". I've always had a love-hate-hold-the-love relationship with JSP, and have recommended alternate technologies at every opportunity.

But JSP 2.0 has really started to float my boat. Such floatation being caused by:

  • Expression Language (EL). You can now put EL expressions inline in your JSP (see below), and as arguments to any rtexprvalue=true tag attribute.
  • A whole world of pleasurable tag implementations, with SimpleTag.
  • Tagfiles: you can implement tags in JSP (as opposed to having to write Java code), for those display-oriented tags.

EL and tag injection

You can now plonk an EL expression in the plain-text of a JSP page, and the JSP engine will evaluate it (if you have this feature enabled). These two <li> output the same thing (caveat below!).

<li> thing is ${thing}
<li> thing is <c:out value="${thing}"/>1

These two <li> output the same thing ... except that c:out has an attribute escapleXml that defaults to true.

"Huh? Who cares?", you2 say? If ${thing} can evaluate to something that contains a <, then the output will almost definitely not be what you want. It will be interpreted by the browser as the start of a tag (which, if not a valid HTML tag, will just be ignored, and not displayed).

Yep, putting raw EL into your JSP page will open you up to a whole world of Cross Site Scripting (XSS) holes; or at least a site that will have hard-to-track-down bugs. Unless you know exactly what you are doing (and how many JSP monkeys know exactly what they are doing?), be very careful about using EL to print out data. Use <c:out /> instead.

But that does not write-off the value of EL. It is still a godsend when used to supply values to custom tag attributes. Your tag can have a setter of type Object, or String or int (or whatever!), and the JSP coder can pass in the result of evaluating an EL like ${widgets[3].foo}. Automagic type conversion applies.

But one last thing

But there is one last thing that really bugs me about JSP. There is no standard way to capture the output of a JSP page, besides making a HTTP request. Have a batch job that needs to send an email? Want to use JSP to template the body of the email? Then embed a full Servlet container in your batch app.

1 This is the c:out tag from the JSTL.

2 I really hope no one actually said that.

  • Home
  • Blog