Dynamic JSP Inclusion - problems with preparing and validating allowlist

Question

I have to change the source code of my training application to validate only .jsp files from created allowlist. Currently, logic works but without validating pages and it looks like that:

        <%
            String somePage = "user";
            if (request.getParameter("page") != null) {
                somePage = request.getParameter("page");
            }
        %>

        <jsp:include page="<%=\"sites/\"+somePage+\".jsp\"%>"/>

I need to create an allowlist including only files from subpackage of my webapp - 'sites': "user.jsp", "interface.jsp" and "tools.jsp". I tried something like this:

        <%
            String somePage;
            if (request.getParameter("page") != null) {
                somePage = request.getParameter("page");
            }
        %>

        <c:if test="${somePage['page'] =='user' || somePage['page'] == 'interface' || somePage['page'] == 'tools'}">
        <jsp:include page="<%=\"sites/\"+somePage+\".jsp\"%>"/>
        </c:if>

I'm not sure if problem is my syntax or something totally different, could you please help me and indicate what is wrong and how should I modify the code?

Scriptlet variables are local to the page. Look into [this](https://stackoverflow.com/a/28430570/573032). — Roman C, Jul 07 '23 at 16:21

score 0 · Accepted Answer · answered Jul 07 '23 at 15:08

0

You can just use param.page.

<c:if test="${param.page == 'user' || param.page == 'interface' || param.page == 'tools'}">

answered Jul 07 '23 at 15:08

Unmitigated

76,500
11
62
80

It works for me, thank you very much! – ZibiDeveloper Jul 10 '23 at 07:50

Dynamic JSP Inclusion - problems with preparing and validating allowlist

1 Answers1