16.3 Preventing Expression Language Evaluation

In JSP 1.2 and earlier, strings of the form ${...} had no special meaning. So, it is possible that the characters ${ appear within a previously created page that is now being used on a server that supports JSP 2.0. In such a case, you need to deactivate the expression language in that page. You have four options for doing so.

• Deactivating the expression language in an entire Web application. You use a web.xml file that refers to servlets 2.3 (JSP 1.2) or earlier. See the first following subsection for details.

• Deactivating the expression language in multiple JSP pages. You use the jsp-property- group web.xml element to designate the appropriate pages. See the second following subsection for details.

• Deactivating the expression language in individual JSP pages. You use the isELEnabled attribute of the page directive. See the third following subsection for details.

• Deactivating individual expression language statements. In JSP 1.2 pages that need to be ported unmodified across multiple JSP versions (with no web.xml changes), you can replace $ with $ , the HTML character entity for $ . In JSP 2.0 pages that contain both expression language statements and literal ${ strings, you can use \${ when you want ${ in the output.

Remember that these techniques are only necessary when the page contains the sequence ${ .

Deactivating the Expression Language in an Entire Web Application

The JSP 2.0 expression language is automatically deactivated in Web applications whose deployment descriptor (i.e., WEB-INF/web.xml file) refers to servlet specification version 2.3 or earlier (i.e., JSP 1.2 or earlier). The web.xml file is discussed in great detail in the second volume of the book, but this volume provides a quick introduction in Section 2.11 (Web Applications: A Preview). For example, the following empty-but-legal web.xml file is compatible with JSP 1.2, and thus indicates that the expression language should be deactivated by default.

 <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app   PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application  2.3  //EN"   "http://java.sun.com/dtd/web-app_  2_3  .dtd"> <web-app> </web-app> 

On the other hand, the following web.xml file is compatible with JSP 2.0, and thus stipulates that the expression language should be activated by default. (Both of these web.xml files, like all code examples presented in the book, can be downloaded from the book's source code archive at http://www.coreservlets.com/).

 <?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"          xsi:schemaLocation=            "http://java.sun.com/xml/ns/j2ee web-app_  2_4  .xsd"          version="  2.4  "> </web-app> 

Deactivating the Expression Language in Multiple JSP Pages

In a Web application whose deployment descriptor specifies servlets 2.4 (JSP 2.0), you use the el-ignored subelement of the jsp-property-group web.xml element to designate the pages in which the expression language should be ignored. Here is an example that deactivates the expression language for all JSP pages in the legacy directory.

 <?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"          xsi:schemaLocation=            "http://java.sun.com/xml/ns/j2ee web-app_2_4.xsd"          version="2.4">   <jsp-property-group>  <url-pattern>/legacy/*.jsp</url-pattern>   <el-ignored>true</el-ignored>  </jsp-property-group> </web-app> 

The jsp-property-group element is discussed in more detail in Volume 2 of this book.

Deactivating the Expression Language in Individual JSP Pages

To disable EL evaluation in an individual page, supply false as the value of the isELEnabled attribute of the page directive, as follows .

 <%@ page isELEnabled="false" %> 

Note that the isELEnabled attribute is new in JSP 2.0 and it is an error to use it in a server that supports only JSP 1.2 or earlier. So, you cannot use this technique to allow the same JSP page to run in either old or new servers without modification. Consequently, the jsp-property-group element is usually a better choice than the isELEnabled attribute.

Deactivating Individual Expression Language Statements

Suppose you have a JSP 1.2 page containing ${ that you want to use in multiple places. In particular, you want to use it in both JSP 1.2 Web applications and in Web applications that contain expression language pages. You want to be able to drop the page in any Web application without making any changes either to it or to the web.xml file. Although this is an unlikely scenario, it could happen, and none of the previously discussed constructs will serve the purpose. In such a case, you simply replace the $ with the HTML character entity corresponding to the ISO 8859-1 value of $ (36). So, you replace ${ with ${ throughout the page. For example,

 ${blah} 

will portably display

 ${blah} 

to the user . Note, however, that the character entity is translated to $ by the browser , not by the server , so this technique will only work when you are outputting HTML to a Web browser.

Finally, suppose you have a JSP 2.0 page that contains both expression language statements and literal ${ strings. In such a case, simply put a backslash in front of the dollar sign. So, for example,

 ${1+1} is ${1+1}. 

will output

 ${1+1} is 2.