2021-04-28 16:49:39 +02:00
Just because you _can_ do something, that doesn't mean you _should_, and the use of full-fledged Java in a JSP or JSF falls into that category.
Beside the fact that such code isn't resuable, testable, maintainable or OO-inheritable, using Java in such client-side pages can leave you incredibly vulnerable from a number of perspectives including security and resource management.
Instead, any heavy-duty logic should happen server-side in a full-fledged Java class. For lighter-weight functions, taglibs should be used.
This rule flags all uses of JSP declarations (``++<%! ... %>++`` and ``++<jsp:declaration>...</jsp:declaration>++``) and scriptlets (``++<% ... %>++``).
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Noncompliant Code Example
2022-02-04 17:28:24 +01:00
[source,html]
2021-04-28 16:49:39 +02:00
----
<%! // Noncompliant
private Connection conn = null;
public void init() {
try {
Class.forName("org.hsqldb.jdbcDriver" );
conn = DriverManager.getConnection("jdbc:hsqldb:mem:SQL", "sa", "");
} catch (SQLException e) {
getServletContext().log("Db error: " + e);
} catch (Exception e) {
getServletContext().log("System error: " + e);
}
}
%>
<% // Noncompliant
Statement stmt = conn.createStatement();
ResultSet rs = null;
String query = StringEscapeUtils.escapeHtml4(query).replaceAll("'", "'");
try {
String sql = "SELECT PRODUCT, DESC, TYPE, PRICE " +
"FROM PRODUCTS" +
"WHERE PRODUCT LIKE '%" + query + "%'";
rs = stmt.executeQuery(sql);
String output = "";
int count = 0;
while (rs.next()) {
count++;
output = output.concat("<TR><TD>" + rs.getString("PRODUCT") +
"</TD><TD>" + rs.getString("DESC") +
"</TD><TD>" + rs.getString("TYPE") +
"</TD><TD>" + rs.getString("PRICE") + "</TD></TR>\n");
}
if(count > 0){
%>
<TABLE border="1">
<TR><TD>Product</TD><TD>Description</TD><TD>Type</TD><TD>Price</TD></TR>
<%= output %>
</TABLE>
<% // Noncompliant
}
} catch (Exception e) {
// ...
----
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Compliant Solution
2022-02-04 17:28:24 +01:00
[source,html]
2021-04-28 16:49:39 +02:00
----
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<table>
<c:forEach items="${products}" var="product">
<tr>
<td>${product.name}</td>
<td>${product.description}</td>
<td>${product.type}</td>
<td>${product.price}</td>
</tr>
</c:forEach>
</table>
----
2021-04-28 18:08:03 +02:00
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
