| [ Team LiB ] |
|
23.6 Using JSTL Tag Library ValidatorsJSP 1.2 introduced a powerful mechanism for validation of the elements used in a page: the tag library validator described in Chapter 22. JSTL includes two generic validators you can configure and use in your application to control how scripting elements and custom tag libraries are used. The ScriptFreeTLV class is a validator that can be configured to reject pages with scripting elements. To use it, you can include it in the TLD for your custom library or create a TLD file that defines it as the validator for a dummy library, used only for validation: <?xml version="1.0" encoding="ISO-8859-1" ?>
<taglib xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
version="2.0">
<description>
Validates JSP pages to prohibit use of scripting elements.
</description>
<tlib-version>1.1</tlib-version>
<short-name>scriptfree</scriptfree>
<uri>http://mycompany.org/taglibs/scriptfree</uri>
<validator>
<validator-class>
javax.servlet.jsp.jstl.tlv.ScriptFreeTLV
</validator-class>
<init-param>
<param-name>allowDeclarations</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>allowScriptlets</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>allowExpressions</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>allowRTExpressions</param-name>
<param-value>true</param-value>
</init-param>
</validator>
</taglib>
The initialization parameters define which type of scripting elements to accept and reject. By default, all are rejected. Starting with JSP 2.0, you can disable all types of scripting elements with a configuration setting in the web.xml file. I recommend that option, but this validator is still available and can be used if you need more fine-grained control. The PermittedTaglibsTLV can limit the set of tag libraries that are used in a page: <?xml version="1.0" encoding="ISO-8859-1" ?>
<taglib xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
version="2.0">
<description>
Validates JSP pages to only allow a defined set of tag libraries.
</description>
<tlib-version>1.1</tlib-version>
<short-name>onlyJSTL</scriptfree>
<uri>http://mycompany.org/taglibs/onlyJSTL</uri>
<validator>
<validator-class>
javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV
</validator-class>
<init-param>
<param-name>permittedTaglibs</param-name>
<param-value>
http://java.sun.com/jsp/jstl/core
http://java.sun.com/jsp/jstl/xml
http://java.sun.com/jsp/jstl/fmt
http://java.sun.com/jsp/jstl/sql
http://java.sun.com/jsp/jstl/functions
</param-value>
</init-param>
</validator>
</taglib>
Here it's configured to allow only the JSTL 1.1 libraries to be used. You can, of course, add other custom tag libraries that should be permitted to the list. Including taglib directives that should be checked activates the validators: <%@ taglib prefix="scriptfree" uri="http://mycompany.org/taglibs/scriptfree" %> <%@ taglib prefix="onlyJSTL" uri="http://mycompany.org/taglibs/onlyJSTL" %> To make sure all pages include these directives, you may want to create a file that contains these taglib directives plus the taglib directives for all real tag libraries that you use for the application. You can then include this file in all JSP pages using the web.xml prelude configuration element described in Chapter 17, instead of including the taglib directives in every page. |
| [ Team LiB ] |
|