How can I retain HTML form field values in JSP after submitting form to Servlet?

Question

After submitting data in the HTML from, a servlet adds these data to my DB and forwards a result message to a JSP page. I want to retain the initially submitted values in the form after the forward.

Is it sensible to make an object in a servlet and add all the parameters I receive and send it with a request to JSP? Is there another better way?

score 14 · Accepted Answer · edited May 23 '17 at 12:00

14

You could access single-value request parameters by ${param}.

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
...
<input name="foo" value="${fn:escapeXml(param.foo)}">
<textarea name="bar">${fn:escapeXml(param.bar)}</textarea>
...
<input type="radio" name="faz" value="a" ${param.faz == 'a' ? 'checked' : ''} />
<input type="radio" name="faz" value="b" ${param.faz == 'b' ? 'checked' : ''} />
<input type="radio" name="faz" value="c" ${param.faz == 'c' ? 'checked' : ''} />
...
<select name="baz">
    <option value="a" ${param.baz == 'a' ? 'selected' : ''}>label a</option>
    <option value="b" ${param.baz == 'b' ? 'selected' : ''}>label b</option>
    <option value="c" ${param.baz == 'c' ? 'selected' : ''}>label c</option>
</select>

Do note that JSTL's fn:escapeXml() is necessary in order to prevent XSS attacks. See also XSS prevention in JSP/Servlet web application.

You could access multi-value request parameters by ${paramValues} and EL 3.0 streams.

<input type="checkbox" name="far" value="a" ${paramValues.far.stream().anyMatch(v->v == 'a').get() ? 'checked' : ''} />
<input type="checkbox" name="far" value="b" ${paramValues.far.stream().anyMatch(v->v == 'b').get() ? 'checked' : ''} />
<input type="checkbox" name="far" value="c" ${paramValues.far.stream().anyMatch(v->v == 'c').get() ? 'checked' : ''} />
...
<select name="boo" multiple>
    <option value="a" ${paramValues.boo.stream().anyMatch(v->v == 'a').get() ? 'selected' : ''}>label a</option>
    <option value="b" ${paramValues.boo.stream().anyMatch(v->v == 'b').get() ? 'selected' : ''}>label b</option>
    <option value="c" ${paramValues.boo.stream().anyMatch(v->v == 'c').get() ? 'selected' : ''}>label c</option>
</select>

edited May 23 '17 at 12:00

Community

1
1

answered Oct 14 '10 at 21:35

BalusC

1,082,665
372
3,610
3,555

it works with text fileds but i what if i want to use it with – palAlaa Oct 14 '10 at 22:42
Render `checked` conditionally. E.g. `${param.foo == 'E' ? 'checked' : ''}`. I updated the answer with some more examples. – BalusC Oct 14 '10 at 22:44
it works thank you , about xss , i am trying to make filter for all parameters for all jsp pages , i think it could be easier than check each input , can i know ur opinion about that? – palAlaa Oct 14 '10 at 22:59
No, certainly don't do that. Do it during redisplaying user-controlled input only, the latest possible moment. Or adopt an existing robust and well-developed MVC framework like JSF. It will take care about this automagically. – BalusC Oct 14 '10 at 23:06
can u tell me why not to use filter , do u mean that filter will slow the response of jsp requests ? and actually i didn't got what u mean with ' Do it during redisplaying user-controlled input only '?? do u mean check for each input? – palAlaa Oct 14 '10 at 23:32
2

Sanitizing XSS during request processing will cause trouble on long term as this is not the normal practice. Maintainability, reusability and portability of the app and the data will suffer from this. Do it during response processing only. With "during redisplaying user-controlled input" I just mean straight in the JSP, exactly as demonstrated in my answer. If you insist you can always do things differently, I am just warning for future regrets and waste of time. – BalusC Oct 14 '10 at 23:33
Mr BalusC , escapeXml() doesn't work , script has been added to my db as is ,here is my work : , and i read that it replace charchters that have special meaning in xml to their corresponding charachter entity code , does that mean instead of saving it in db as < it will be added as < ?? – palAlaa Oct 15 '10 at 00:16
2

Scripts won't be executed in DB. This does absolutely not harm. This is perfectly fine. The `escapeXml()` will escape them when it's about to be redisplayed in HTML. Remove it and retest. You'll see that the script will be executed. – BalusC Oct 15 '10 at 00:26
Love how simple the "stream" method is for the multiple checkbox scenario, however is there an EL 2.2 equivalent? The server I'm on is using servlet version 3.0 instead of 3.1 – AlexM Aug 01 '17 at 22:01
@Aender: Unfortunately no. You'd better use an [EL function](https://stackoverflow.com/questions/7079978/how-to-create-a-custom-el-function-to-invoke-a-static-method/7080174#7080174). – BalusC Aug 02 '17 at 05:24

score 3 · Answer 2 · answered Aug 04 '16 at 09:05

3

For the select statement maybe you can just use javascript.

document.getElementById('baz').value = '${param.baz}';

answered Aug 04 '16 at 09:05

Afdzal Kamal

71
3

super answer. It's very easy – Veerendar Chary Munigadapa Jan 07 '21 at 05:31

How can I retain HTML form field values in JSP after submitting form to Servlet?

2 Answers2

Linked

Related