Controlling the Use of Scripting Elements
With all the new features available through the JSP EL, JSTL, and
custom actions, scripting elements are rarely needed. A company may
decide to implement a policy of forbidding scripting elements
altogether, avoiding all the potential problems that scripting
introduces. A policy like this can be enforced with the
<scripting-invalid>
element, for all or
selected parts of the application:
<web-app ...>
...
<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<scripting-invalid>true</scripting-invalid>
</jsp-property-grop>
</jsp-config>
...
</web-app>
With this configuration, the container refuses to process a JSP page that contains any scripting element (i.e., a scripting declaration, expression, or scriptlet). Since this represents a policy decision, there’s no way to override this value in an individual JSP page.
Get JavaServer Pages, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.