tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Junghans" <Andreas.Jungh...@fh-karlsruhe.de>
Subject Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/generators StaticInterceptor.java
Date Tue, 16 Apr 2002 09:37:01 GMT
Hi Remy,

> As I stated in the comments of the bug, I don't agree with your
> interpretation about the JSP displaying "code".

Sorry again for not making myself clear. To put it exact (I hope ...):

There are cases in complex include/forward scenarios where Tomcat serves
JSPs as static resources. So the *client browser* receives something like
this as plain text:


<%@page language="java" %>

<%
 application.getRequestDispatcher("/html/test.html").forward(request,
response);
%>

<%-- possible harmful information like database login information etc. may
also appear here --%>


This was what I referred to as "JSP source code". After reading your comment
I noticed how ambiguous that was (sorry again). Now the question is: Is it
dangerous if the client sees a JSP including all embedded scriptlets? I'd
say yes since developers usually rely upon their Java/JSP code not visible
to clients (e.g. because database username and password
are stored there - and let's not argue whether this is good design ;-)).

Best regards

  Andreas

PS Thanks for incorporating the patch that changes the shutdown order in
StandardContext.



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message