rspec/rules/S2493/html/rule.adoc

== Why is this an issue?

Just because you _can_ do something, that doesn't mean you _should_, and the use of full-fledged Java in a JSP or JSF falls into that category. 


Beside the fact that such code isn't resuable, testable, maintainable or OO-inheritable, using Java in such client-side pages can leave you incredibly vulnerable from a number of perspectives including security and resource management.


Instead, any heavy-duty logic should happen server-side in a full-fledged Java class. For lighter-weight functions, taglibs should be used.


This rule flags all uses of JSP declarations (``++<%! ... %>++`` and ``++<jsp:declaration>...</jsp:declaration>++``) and scriptlets (``++<% ... %>++``).


=== Noncompliant code example

[source,html]
----
<%!  // Noncompliant
  private Connection conn = null;

  public void init() {
    try {
      Class.forName("org.hsqldb.jdbcDriver" );
      conn = DriverManager.getConnection("jdbc:hsqldb:mem:SQL", "sa", "");
    } catch (SQLException e) {
      getServletContext().log("Db error: " + e);
    } catch (Exception e) {
    getServletContext().log("System error: " + e);
    }
  }
%>
<%    // Noncompliant
Statement stmt = conn.createStatement();
ResultSet rs = null;
String query = StringEscapeUtils.escapeHtml4(query).replaceAll("'", "&#39");

try {
  String sql = "SELECT PRODUCT, DESC, TYPE, PRICE " +
                     "FROM PRODUCTS" +
                     "WHERE PRODUCT LIKE '%" + query + "%'";
  rs = stmt.executeQuery(sql);

  String output = "";
  int count = 0;
  while (rs.next()) {
    count++;
    output = output.concat("<TR><TD>" + rs.getString("PRODUCT") + 
                                  "</TD><TD>" + rs.getString("DESC") + 
                                  "</TD><TD>" + rs.getString("TYPE") + 
                                  "</TD><TD>" + rs.getString("PRICE") + "</TD></TR>\n");
  }
  if(count > 0){
%>
<TABLE border="1">
<TR><TD>Product</TD><TD>Description</TD><TD>Type</TD><TD>Price</TD></TR>
<%= output %>
</TABLE>
<%  // Noncompliant
  }
} catch (Exception e) {
  // ...
----


=== Compliant solution

[source,html]
----
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>

<table>
    <c:forEach items="${products}" var="product">
        <tr>
            <td>${product.name}</td>
            <td>${product.description}</td>
            <td>${product.type}</td>
            <td>${product.price}</td>
        </tr>
    </c:forEach>
</table>
----


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Move the logic in this scriptlet to a server-side Java class.


'''
== Comments And Links
(visible only on this page)

=== on 11 May 2015, 15:22:11 Massimo PALADIN wrote:
\[~ann.campbell.2] LGTM.

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Just because you _can_ do something, that doesn't mean you _should_, and the use of full-fledged Java in a JSP or JSF falls into that category.`


			`Beside the fact that such code isn't resuable, testable, maintainable or OO-inheritable, using Java in such client-side pages can leave you incredibly vulnerable from a number of perspectives including security and resource management.`


			`Instead, any heavy-duty logic should happen server-side in a full-fledged Java class. For lighter-weight functions, taglibs should be used.`


			This rule flags all uses of JSP declarations (``++<%! ... %>++`` and ``++<jsp:declaration>...</jsp:declaration>++``) and scriptlets (``++<% ... %>++``).

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,html]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`<%! // Noncompliant`
			`private Connection conn = null;`

			`public void init() {`
			`try {`
			`Class.forName("org.hsqldb.jdbcDriver" );`
			`conn = DriverManager.getConnection("jdbc:hsqldb:mem:SQL", "sa", "");`
			`} catch (SQLException e) {`
			`getServletContext().log("Db error: " + e);`
			`} catch (Exception e) {`
			`getServletContext().log("System error: " + e);`
			`}`
			`}`
			`%>`
			`<% // Noncompliant`
			`Statement stmt = conn.createStatement();`
			`ResultSet rs = null;`
			`String query = StringEscapeUtils.escapeHtml4(query).replaceAll("'", "&#39");`

			`try {`
			`String sql = "SELECT PRODUCT, DESC, TYPE, PRICE " +`
			`"FROM PRODUCTS" +`
			`"WHERE PRODUCT LIKE '%" + query + "%'";`
			`rs = stmt.executeQuery(sql);`

			`String output = "";`
			`int count = 0;`
			`while (rs.next()) {`
			`count++;`
			`output = output.concat("<TR><TD>" + rs.getString("PRODUCT") +`
			`"</TD><TD>" + rs.getString("DESC") +`
			`"</TD><TD>" + rs.getString("TYPE") +`
			`"</TD><TD>" + rs.getString("PRICE") + "</TD></TR>\n");`
			`}`
			`if(count > 0){`
			`%>`
			`<TABLE border="1">`
			`<TR><TD>Product</TD><TD>Description</TD><TD>Type</TD><TD>Price</TD></TR>`
			`<%= output %>`
			`</TABLE>`
			`<% // Noncompliant`
			`}`
			`} catch (Exception e) {`
			`// ...`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,html]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>`

			`<table>`
			`<c:forEach items="${products}" var="product">`
			`<tr>`
			`<td>${product.name}</td>`
			`<td>${product.description}</td>`
			`<td>${product.type}</td>`
			`<td>${product.price}</td>`
			`</tr>`
			`</c:forEach>`
			`</table>`
			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Move the logic in this scriptlet to a server-side Java class.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 11 May 2015, 15:22:11 Massimo PALADIN wrote:`
			`\[~ann.campbell.2] LGTM.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`