I gave a presentation to the local JUG last night, titled "JSP is dead; long live JSP". I've always had a love-hate-hold-the-love relationship with JSP, and have recommended alternate technologies at every opportunity.
But JSP 2.0 has really started to float my boat. Such floatation being caused by:
rtexprvalue=true
tag attribute.
SimpleTag
.
You can now plonk an EL expression in the plain-text of a JSP page, and
the JSP engine will evaluate it (if you have this feature enabled).
These two <li>
output the same thing (caveat below!).
<li> thing is ${thing} <li> thing is <c:out value="${thing}"/>1
These two <li>
output the same thing ...
except that c:out
has an attribute escapleXml
that defaults to true
.
"Huh? Who cares?", you2 say? If ${thing}
can evaluate to something that
contains a <
, then the output will almost definitely not be what you want.
It will be interpreted by the browser as the start of a tag (which, if not a valid HTML tag, will
just be ignored, and not displayed).
Yep, putting raw EL into your JSP page will open you up to a whole world of Cross Site Scripting
(XSS) holes; or at least a
site that will have hard-to-track-down bugs. Unless you know exactly what you are doing (and how
many JSP monkeys know exactly what they are doing?), be very careful about using EL to print
out data. Use <c:out />
instead.
But that does not write-off the value of EL. It is still a godsend when used to supply
values to custom tag attributes. Your tag can have a setter of type
Object
, or String
or int
(or whatever!), and the JSP
coder can pass in the result of evaluating an EL like ${widgets[3].foo}
.
Automagic type conversion applies.
But there is one last thing that really bugs me about JSP. There is no standard way to capture the output of a JSP page, besides making a HTTP request. Have a batch job that needs to send an email? Want to use JSP to template the body of the email? Then embed a full Servlet container in your batch app.
1 This is the c:out
tag from the JSTL.
2 I really hope no one actually said that.