i am working on a project. my work is retrieve data from database and displaying them. if required sent to next page for further processing. my problem is i got value from database and i want to send it another jsp or servlet using href.
value i am retrieving is :
<%=special.getString("id")%>
send it to:
Buy Now
but when send data like this error is
is that correct? how do i do it? what is the correct method. i am struck here for long time please help me.
Use single quotes around id instead double.
"new.jsp?id=<%=special.getString('id')%>"
If you're serious about JSP development ditch scriptlets (which went out of common use 10+ years ago) and familiarize yourself with the Java Standard Tag Libraries and JSP Expression Language.
I am not quite sure what 'special' is here, however using EL your code will look something like the below:
<!-- special is an object with a method getId()-->
Buy Now
or
<!-- special is an object with a method getString(String key) -->
Buy Now
If this doesn't work then there is no bean with key 'special' in any scope.
Note that if you are working with a database in your JSP you should consider refactoring to use the standard JSTL SQL tags. See below for an example:
http://www.tutorialspoint.com/jsp/jstl_sql_query_tag.htm
See also:
http://www.tutorialspoint.com/jsp/jsp_standard_tag_library.htm
http://beginnersbook.com/2013/11/jsp-expression-language-el/
*Note for the second example to work your app need to be compliant with the Servlet 3 specification (as passing mthod params was nut supported in EL before this). See further: https://stackoverflow.com/a/6337222/1356423
Use single quote inside double quote.
I am trying to type code but not able to type.
now it should work
You need to escape your quotes first or use single quotes so that your double quotes can work:
Note: Untested.
Buy Now
I see in your error message it says DOUBLE_WHITESPACE in QUERY. I would suggest you try encoding you url.
<% String id=java.net.URLEncoder.encode(special.getString("id") , "UTF-8");%>
Buy Now
Related
I have a menu bar on a web based program that is built using jsp. Usually, my company uses java scriplets to add functionality, but I have been reading about JSTL and was wondering if there was a way to determine if two keys were pressed simultaneously using JSTL. Also, is there any general rules or conventions to be followed when revising scriplets into JSTL?
I don't think there is any way to detect key input using JSTL. As far as I know JSTL, it is a collection of these five types of tags:
Core Tags: used for accessing variables, iterating objects, and (almost) all of the standard loops and if-else statements that you would expect in a programming language.
Formatting tags: Dates, strings etc
SQL tags: Database stuff
XML tags: like core, but for xml
JSTL Functions: Functions like contains, join, split, substring etc
You can read more about it here: http://www.tutorialspoint.com/jsp/jsp_standard_tag_library.htm
Your best bet for creating a key listener, is javascript. Take a look at this post for more info: Detect multiple keys on single keypress event in jQuery
For the other part of your question, I have found particularily two answers already existing on stackoverflow, to be most helpful:
How to avoid Java code in JSP files?
How to avoid using scriptlets in my JSP page?
EDIT: As mentioned in the comments, JSTL works on the server side of a web application. user input happens on the client side, and is therefore out of scope for JSTL. Javascript is the way to go.
I am using PlayFramework2 and I can't find a way to properly handle HTML escaping.
In the template system, HTML entities are filtered by default.
But when I use REST requests with Backbone.js, my JSON objects are not filtered.
I use play.libs.Json.toJson(myModel) to transform an Object into a String.
So, in my controller, I use return ok(Json.toJson(myModel)); to send the response ... but here, the attributes of my model are not secured.
I can't find a way to handle it ...
Second question :
The template engine filters HTML entities by default, this means that we have to store into our database the raw user inputs.
Is it a save behaviour ?
Third questdion :
Is there in the PlayFramework a function to manualy escape strings ? All those I can find require to add new dependencies.
Thanks !
Edit : I found a way at the Backbone.js templating level :
- Use myBackboneModel.escape('attr'); instead of myBackboneModel.get('attr');
Underscore.js templating system also includes that options : <%= attr %> renders without escaping but <%- attr %> renders with escaping !
Just be careful to the efficiency, strings are re-escaped at each rendering. That's why the Backbone .create() should be prefered.
The best practices on XSS-attacks prevention usually recommend you to reason about your output rather than your input. There's a number of reasons behind that. In my opinion the most important are:
It doesn't make any sense to reason about escaping something unless you exactly know how you are going to output/render your data. Because different ways of rendering will require different escaping strategies, e.g. properly escaped HTML string is not good enough to use it in Javascript block. Requirements and technologies change constantly, today you render your data one way - tomorrow you might be using another (let's say you will be working on a mobile client which doesn't require HTML-escaping, because it doesn't use HTML at all to render data) You can only be sure about proper escaping strategy while rendering your data. This is why modern frameworks delegate escaping to templating engines. I'd recommend reviewing the following article: XSS (Cross Site Scripting) Prevention Cheat Sheet
Escaping user's input is actually a destructive/lossy operation – if you escape user's input before persisting it to a storage you will never find out what was his original input. There's no deterministic way to 'unescape' HTML-escaped string, consider my mobile client example above.
That is why I believe that the right way to go would be to delegate escaping to your templating engines (i.e. Play and JS-templating engine you're using for Backbone). There's no need to HTML-escape string you serialize to JSON. Notice that behind the scenes JSON-serializer will JSON-escape your strings, e.g. if you have a quote in your string it will be properly escaped to ensure resulting JSON is correct, because it's a JSON serializer after all that's why it only cares about proper JSON rendering, it knows nothing about HTML (and it shouldn't). However when you rendering your JSON data in the client side you should properly HTML-escape it using the functionality provided by the JS-templating engine you're using for Backbone.
Answering another question: you can use play.api.templates.HtmlFormat to escape raw HTML-string manually:
import play.api.templates.HtmlFormat
...
HtmlFormat.escape("<b>hello</b>").toString()
// -> <b>hello</b>
If you really need to make JSON-encoder escape certain HTML strings, a good idea might be to create a wrapper for them, let's say RawString and provide custom Format[RawString] which will also HTML-escape a string in its writes method. For details see: play.api.libs.json API documentation
I am building a web application with JSP and Java Servlet. Currently I am using JSTL fmt for the internationalization using a property file (messages.properties). But my costumer wants to be able to update text live so I need to move keys/value from the property file to the database. The problem is I don't know how I can read text from the database into for exemple
<fmt:message> tag in the JSP file.
Any help is very welcome, thanks
//Momo
<fmt:message> can make use of a LocalizationContext which, in turn, makes use of a ResourceBundle. So, really, you should focus on how to create a ResourceBundle that meets your needs. If you absolutely have to use a database, perhaps someone's already created a ResourceBundle implementation to handle that. One thing to make sure you investigate, as long as you're using at least Java 6, is ResourceBundle.Control. It may turn out that you can keep using property files but customize the caching behavior.
Not with fmt. You either write your own tag or you change the code of fmt.
Could this be a solution? Instead of reading from the database för every key/value pair I read them into a map and refresh every knight.
Database backed i18n for java web-app
we are trying to add a simple test using JMeter in a JSF Application. We followed the instructions in:
http://jmeter.apache.org/usermanual/build-adv-web-test-plan.html
It has a simple login page with user name and password and a submit button. You can see from the screenshots that we used a proxy. With the settings in the screenshot we are getting HTTP 500 Error. I am not sure if I placed the question in a right way.. Please ask if you need any clarification.
The error code is:
EDIT:
I think this is going to be the longest question of SO. But images are better than words sometimes. Anyway, what we have done is to sent the data that is equivalent to what we see in the firebug. But still getting 500 error. You can see in the attachments Tomcat log.
HTTP 5xx codes are related to server or application errors. Search log files first.
Your script don't need a "User Defined Variables" component because there's no variable expression that really need to be evaluated per thread/user.
The "Regular Expression Extractor" component suffice to extract the JSF ViewState value.
I suggest you to delete the last part of your expression, " />", and change the regular expression grouping (.+?) to (\w+?) 'cause it will evaluate to a few matches (probably only 2). Change the value of "Match No." field to 1 (no need to use random if all values matched are identical).
I didn't understand why you used both "XPath Extractor" and "Regular Expression Extractor" components to extract the same value. I prefer to use the last one when leading with html. XPath is better when treating with well-formed xml strings/files.
To capture a script from scratch, I suggest you to add a "HTTP Proxy Server" inside Workbench, configure it, start it, configure a browser to use this proxy and navigate those pages using the browser. This way you'll capture all requests made and request headers used by the browser you choose. After this, remove unnecessary requests and change query parameters, like javax.faces.ViewState, to the corresponding variables.
Consider using extractors (Pos-Processors) inside an HTTP Sampler prior to the one that will use the variable in Parameter Values. Ex.: if /EBS request comes first and /EBS/login.xhtml request have a javax.faces.ViewState parameter then, probably, /EBS response will contain a hidden input with the javax.faces.ViewState value.
This is a common make up of JSF application test scripts I use. Providing more information about the cause of the HTTP 500 error should clarify the way to a better solution.
On the Regular Expression Extractor for jsfViewState, add (?s) to the start of the regular expression. So you have:
(?s)<input type="hidden" name="javax\.faces\.ViewState" id="javax\.faces\.ViewState" value="(.+?)" />
This allows the (.+?) to span line break characters.
Your regular expression extractor is in the wrong place. You cannot extract a value from the response to a request and then send it with the same request. The only way to achieve this is to use a time machine, but these don't exist yet and even if they did, it probably wouldn't work.
Typically you get a viewstate in the response to a GET and then you later need it in the POST of the same page. So, put the regular expression extractor as a child of the GET call where the login.xhtml page is first called (as a GET). If your recording does not include this GET call then either add it manually or examine the responses of previous calls before your login POST to find it, eg. maybe the GET homepage.xhtml (or similar) will include it.
So, I'm using HTTP Post Requests in Android Java to log into a website, before extracting the entire HTML code. After that, I use Pattern/Matcher (regex) to find all the elements I need before extracting them from the HTML data, and deleting everything unnecessary. For instance when I extract this:
String extractions = <td>Good day sir</td>
Then I use:
extractions.replaceAll("<td>", "").replaceAll("</td>", "");
I do this multiple times until I have all the data needed from that site, before I display it in some kind of list.
I'm not particularly stuck on anything, but please, can you tell me if this is an effective/efficient/fast way of getting data from a page and processing it, or are there ways to do this faster? Because sometimes it's like my program takes a lot of time to get certain data (although mostly that's when I'm on 3G on my phone).
Like others have said, regex is not the best tool for this job. But in this case, the particular way you use regex is even more inefficient than it would normally be.
In any case, let me offer one more possible solution (depending on your use case).
It's called YQL (Yahoo Query Language).
http://developer.yahoo.com/yql/
Here is a console for it so you can play around with it.
http://developer.yahoo.com/yql/console/
YQL is the lazy developer's way to build your own api on the fly. The main inconvenience is that you have to use Yahoo as a go-between, but if you're ok with that, then I'd suggest you go that route. Using YQL is probably the quickest way to get that kind of work done (especially if the html you're targeting keeps on changing and if its html tags are not always valid).
Using regex to parse a website is always a bad idea:
How to use regular expressions to parse HTML in Java?
Using regular expressions to parse HTML: why not?
Have a look at the Apache Tika library for extracting text from HTML - there are many other parsers also available, such as PDF etc. : http://tika.apache.org/