tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Junghans" <>
Subject Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/generators
Date Tue, 16 Apr 2002 09:37:01 GMT
Hi Remy,

> As I stated in the comments of the bug, I don't agree with your
> interpretation about the JSP displaying "code".

Sorry again for not making myself clear. To put it exact (I hope ...):

There are cases in complex include/forward scenarios where Tomcat serves
JSPs as static resources. So the *client browser* receives something like
this as plain text:

<%@page language="java" %>


<%-- possible harmful information like database login information etc. may
also appear here --%>

This was what I referred to as "JSP source code". After reading your comment
I noticed how ambiguous that was (sorry again). Now the question is: Is it
dangerous if the client sees a JSP including all embedded scriptlets? I'd
say yes since developers usually rely upon their Java/JSP code not visible
to clients (e.g. because database username and password
are stored there - and let's not argue whether this is good design ;-)).

Best regards


PS Thanks for incorporating the patch that changes the shutdown order in

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message