5

I recently read how to disable scripting for an entire application by adding the following elements to the web.xml file:

<jsp-config>
    <jsp-property-group>
        <url-pattern>*.jsp</url-pattern>
        <scripting-invalid>true</scripting-invalid>
    </jsp-property-group>
</jsp-config>

It went on to state that doing this forces you to always use standard JSP tags, EL, and JSTL instead of scripting, but it doesn't define 'scripting'. I was under the impression that EL is a form of scripting, and now I'm left wondering what is it I can't do exactly, after I disable scripting?

elekwent
  • 763
  • 5
  • 10

2 Answers2

9

It disables scriptlets (<% %>), scriptlet expressions (<%= %>) and scriptlet declarations (<%! %>), which is a way of embedding raw Java code inside a JSP file. Using scriptlets has indeed been discouraged since the birth of taglibs/EL in favor of better readable and maintainable code.

See also:

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • It only disables scriptlets? What about the other JSP tags? Does it disable expressions, directives, comments, and declarations? – elekwent May 04 '11 at 21:46
  • Scriptlets, expressions and declarations. Not directives and comments. I updated the answer. – BalusC May 04 '11 at 21:54
  • Ah, the idea of "embedding raw Java code inside a JSP file" makes perfect sense and answers my question. Thx – elekwent May 04 '11 at 21:55
2

It disables scriptlets, which is basically java code in the JSP e.g.

<% request.getAttribute("bob"); %>

would not be allowed.

JSTL, EL, etc. will all work fine.

planetjones
  • 12,469
  • 5
  • 50
  • 51