== Why is this an issue?

Just because you _can_ do something, that doesn't mean you _should_, and the use of full-fledged Java in a JSP or JSF falls into that category. 


Beside the fact that such code isn't resuable, testable, maintainable or OO-inheritable, using Java in such client-side pages can leave you incredibly vulnerable from a number of perspectives including security and resource management.


Instead, any heavy-duty logic should happen server-side in a full-fledged Java class. For lighter-weight functions, taglibs should be used.


This rule flags all uses of JSP declarations (``++<%! ... %>++`` and ``++<jsp:declaration>...</jsp:declaration>++``) and scriptlets (``++<% ... %>++``).


=== Noncompliant code example

[source,html]
----
<%!  // Noncompliant
  private Connection conn = null;

  public void init() {
    try {
      Class.forName("org.hsqldb.jdbcDriver" );
      conn = DriverManager.getConnection("jdbc:hsqldb:mem:SQL", "sa", "");
    } catch (SQLException e) {
      getServletContext().log("Db error: " + e);
    } catch (Exception e) {
    getServletContext().log("System error: " + e);
    }
  }
%>
<%    // Noncompliant
Statement stmt = conn.createStatement();
ResultSet rs = null;
String query = StringEscapeUtils.escapeHtml4(query).replaceAll("'", "&#39");

try {
  String sql = "SELECT PRODUCT, DESC, TYPE, PRICE " +
                     "FROM PRODUCTS" +
                     "WHERE PRODUCT LIKE '%" + query + "%'";
  rs = stmt.executeQuery(sql);

  String output = "";
  int count = 0;
  while (rs.next()) {
    count++;
    output = output.concat("<TR><TD>" + rs.getString("PRODUCT") + 
                                  "</TD><TD>" + rs.getString("DESC") + 
                                  "</TD><TD>" + rs.getString("TYPE") + 
                                  "</TD><TD>" + rs.getString("PRICE") + "</TD></TR>\n");
  }
  if(count > 0){
%>
<TABLE border="1">
<TR><TD>Product</TD><TD>Description</TD><TD>Type</TD><TD>Price</TD></TR>
<%= output %>
</TABLE>
<%  // Noncompliant
  }
} catch (Exception e) {
  // ...
----


=== Compliant solution

[source,html]
----
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>

<table>
    <c:forEach items="${products}" var="product">
        <tr>
            <td>${product.name}</td>
            <td>${product.description}</td>
            <td>${product.type}</td>
            <td>${product.price}</td>
        </tr>
    </c:forEach>
</table>
----


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Move the logic in this scriptlet to a server-side Java class.


'''
== Comments And Links
(visible only on this page)

=== on 11 May 2015, 15:22:11 Massimo PALADIN wrote:
\[~ann.campbell.2] LGTM.

endif::env-github,rspecator-view[]