16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
104 lines
2.7 KiB
Plaintext
104 lines
2.7 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Just because you _can_ do something, that doesn't mean you _should_, and the use of full-fledged Java in a JSP or JSF falls into that category.
|
|
|
|
|
|
Beside the fact that such code isn't resuable, testable, maintainable or OO-inheritable, using Java in such client-side pages can leave you incredibly vulnerable from a number of perspectives including security and resource management.
|
|
|
|
|
|
Instead, any heavy-duty logic should happen server-side in a full-fledged Java class. For lighter-weight functions, taglibs should be used.
|
|
|
|
|
|
This rule flags all uses of JSP declarations (``++<%! ... %>++`` and ``++<jsp:declaration>...</jsp:declaration>++``) and scriptlets (``++<% ... %>++``).
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,html]
|
|
----
|
|
<%! // Noncompliant
|
|
private Connection conn = null;
|
|
|
|
public void init() {
|
|
try {
|
|
Class.forName("org.hsqldb.jdbcDriver" );
|
|
conn = DriverManager.getConnection("jdbc:hsqldb:mem:SQL", "sa", "");
|
|
} catch (SQLException e) {
|
|
getServletContext().log("Db error: " + e);
|
|
} catch (Exception e) {
|
|
getServletContext().log("System error: " + e);
|
|
}
|
|
}
|
|
%>
|
|
<% // Noncompliant
|
|
Statement stmt = conn.createStatement();
|
|
ResultSet rs = null;
|
|
String query = StringEscapeUtils.escapeHtml4(query).replaceAll("'", "'");
|
|
|
|
try {
|
|
String sql = "SELECT PRODUCT, DESC, TYPE, PRICE " +
|
|
"FROM PRODUCTS" +
|
|
"WHERE PRODUCT LIKE '%" + query + "%'";
|
|
rs = stmt.executeQuery(sql);
|
|
|
|
String output = "";
|
|
int count = 0;
|
|
while (rs.next()) {
|
|
count++;
|
|
output = output.concat("<TR><TD>" + rs.getString("PRODUCT") +
|
|
"</TD><TD>" + rs.getString("DESC") +
|
|
"</TD><TD>" + rs.getString("TYPE") +
|
|
"</TD><TD>" + rs.getString("PRICE") + "</TD></TR>\n");
|
|
}
|
|
if(count > 0){
|
|
%>
|
|
<TABLE border="1">
|
|
<TR><TD>Product</TD><TD>Description</TD><TD>Type</TD><TD>Price</TD></TR>
|
|
<%= output %>
|
|
</TABLE>
|
|
<% // Noncompliant
|
|
}
|
|
} catch (Exception e) {
|
|
// ...
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,html]
|
|
----
|
|
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
|
|
|
|
<table>
|
|
<c:forEach items="${products}" var="product">
|
|
<tr>
|
|
<td>${product.name}</td>
|
|
<td>${product.description}</td>
|
|
<td>${product.type}</td>
|
|
<td>${product.price}</td>
|
|
</tr>
|
|
</c:forEach>
|
|
</table>
|
|
----
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Move the logic in this scriptlet to a server-side Java class.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 11 May 2015, 15:22:11 Massimo PALADIN wrote:
|
|
\[~ann.campbell.2] LGTM.
|
|
|
|
endif::env-github,rspecator-view[]
|