The path to a java attack-A Review of java web jsp entry _ El expression _ JSTL tag library, _ el_jstl

The path to a java attack-A Review of java web jsp entry _ El expression _ JSTL tag library, _ el_jstl

JSP Technology
MASTER: JSP syntax + EL + JSTL

Why does sun introduce JSP technology?
Servlet-based webpage generation is complex and does not support HTML syntax. html code needs to output stream output through response. JSP supports HTML syntax to generate HTML conveniently.

What are the differences and relationships between JSP and Servlet technologies?
JSP and Servlet technologies are used to dynamically generate Web pages. Servlet does not support HTML syntax. It is difficult to generate Web pages. JSP supports HTML syntax to generate Web pages conveniently. During JSP running, Servlet translation is executed. JSP is Servlet.

How does JSP work?
The client accesses and compiles JSP files. The server reads JSP files and generates servlets Based on JSP. The Servlet compiles and runs to generate webpages.

JSP <%! %> <% = %> <%>
<%! %> Declaration: defines the global variables, global methods, and internal classes of the Servlet program after translation.
<% = %> Expression output content to browser effect out. print
<%> Script code block, embedded in java running code ---- No translation

JSP translation Servlet storage tomcat/work directory
* JSP translation Servlet page currently all HTML translations are output as out. write

JSP comments support three comments
1. JSP annotation: <% -- %> the annotation only exists in the source code of the JSP file. This annotation disappears when the JSP translates Servlet.
* This annotation cannot be executed.

2. Java comments:/***/document comments,/***/multiline comments, and // single line comments
Documentation comments/***/generate javadoc mainly used to annotate packages, classes, member variables, and member Methods ------ code function users
Multi-line comments and single-line comments do not generate javadoc. The implementation logic of the comments code is used within the method ------ the programmer himself can read the code for comments.
* Java comments exist when JSP is translated as Servlet and are ignored when the Servlet program is executed. The source code of the generated HTML webpage does not exist.
* Ignored during Servlet execution

3. HTML comment <! -->
* When JSP is translated as Servlet, it will be translated out. print. In the source code of the generated HTML page, such annotations also exist.

Conclusion: JSP comments disappear in the translation phase, Java comments disappear in the Servlet runtime phase, and HTML comments do not disappear.

Questions:
<%
String s = "abcd ";
%>
<! -- Annotate JSP or java code with HTML comments <% = s %> -->
In the PAGE result <! -- Annotate JSP or java code with HTML comments -->
Conclusion: HTML annotations cannot prevent JSP or Java code execution.

JSP Directive)
Page command
Include command
Taglib command

Syntax: <% @ command name attribute = Value Attribute = value... %>

The page command defines the global attributes of JSP files. <% page attribute = Value %>
1. The language can only be java
2. After extends JSP is translated, the Servlet inherits the parent class. This attribute is not set. If you have to set it, the inherited class must be the Servlet implementation class.
3. The session defines whether the Session implicit object can be directly used in JSP.
If the attribute is set to true, the following two sentences of code are generated during Servlet translation in JSP.
HttpSession session = null;
Session = pageContext. getSession ();
* If you want to use an HttpSession object in jsp, the default value of session attribute is true.
4. Servlet guide package after JSP translation is completed in import
Jsp is translated as Servlet default guide package
Import javax. servlet .*;
Import javax. servlet. http .*;
Import javax. servlet. jsp .*;
Jre imports java. lang by default.
* If the class used in jsp does not belong to the above four packages, You need to export the packages.
5. buffer autoFlush sets out implicit Object Attributes
Buffer Set the buffer size
AutoFlush is set to automatically fl when the buffer is full
6. isELIgnored: Set whether the JSP executes the EL expression.
IsELIgnored = "false" do not ignore --- execute Parsing
IsELIgnored = "true" ignore ---- Do not parse
* Generally, the default value is false.

7. Set JSP page encoding through contentType and pageEncoding
PageEncoding is a collection of JSP file source code on the hard disk.
ContentType is encoded in the Servlet-generated HTML transmission Browser

8. Use errorPage and isErrorPage to control the jump when an error occurs on the JSP page.
Set error friendly page-when a page error occurs, you should not see the page containing code error, see a friendly page
Use errorPage to specify the page to jump to when an error occurs on the page
* IE browser's default friend page. If you want to view your own friendly page, close the IE default friendly page.
IE Toolbar --- Internet Options ----- advanced ----- show friendly HTTP Error information to remove the hook

On the error friendly page, you can set the isErrorPage attribute to obtain the error cause.

* In actual development, the error handling method described above is generally not used

The second way to handle error pages: not only 500, but also 404
Configure web. xml
<Error-page>
<Error-code> 500 </error-code>
<Location>/demo5/500.jsp</location>
</Error-page>

Include command for Static Page inclusion ----- extract the public part of the page and complete the page layout through include
Syntax: <% @ include file = "file path" %>

Include contains the entire content of the target page, which is included in the page. You only need to write HTML fragments instead of a complete HTML.

Static include Principle
* When JSP is translated as Servlet, the inclusion action is completed. The Servlet program is not executed. The inclusion path cannot contain variables or contain? Splicing parameter. The target file must exist.
* Special Case: An error exists on the page to be included. If the contained Servlet has no error, You can execute

Taglib command, used to reference the tag library file on the jsp page
* Define tags to simplify jsp page development
* Use the taglib command to introduce the jstl tag library. Syntax: <% taglib uri = "" prefix = "" %>
Uri ---- defines the unique namespace of a tag
Prefixt ---- namespace prefix

When referencing jstl, META-INF/c. tld in importing jstl. jar
<Short-name> c </short-name> -------- indicates the prefix attribute.
<Uri> http://java.sun.com/jsp/jstl/core </uri> ----- Is the uri Property

What are the nine built-in objects of JSP?
What is a built-in object? When JSP is translated into Servlet Code, some objects have been created by default. Such objects can be directly used in jsp, and built-in objects

Page, request, session, application, response, pageContext, out, config, exception
Request HttpServletRequest ---- request object
ResponseHttpServletResponse ---- response object
Session HttpSession ------- session Object
Application ServletContext ------ globally unique objects of web Applications
Config ServletConfig ------ initialize data
Page this (HttpServlet)
PageContext PageContext
Exception Throwable (all abnormal parent classes) ----- when the page is an error page, use exception to get exception information
* Throwable is the parent class of the exception class.
Out JspWriter

Page indicates the Servlet object generated by the current jsp.
* The page is of the Object type. Only the method in the Object can be used. This Object is not recommended during development.
* The page can be forcibly converted to

What data range does Servlet have? Three types: request, session, and servletcontext
Based on the Servlet data range, JSP adds a new page data range-four JSP data ranges: page request session application
* The page data storage range is valid only in the current jsp.

PageContext indicates the context of the current page
1. Access data to the page range
FindAttribute searches data in four data ranges: page, request, session, and application.
In EL, $ {name} calls findAttribute to search for data in four ranges.

2. pageContext is used to obtain the other eight hidden objects.
* PageContext encapsulates eight implicit objects. It indicates that the framework is compiled. The PageContext object is equivalent to nine built-in JSP objects.

Out object
The out function outputs information to the browser, which is of the JspWriter type. It is implemented internally using PrintWriter and has an independent buffer.
Create an out object. The out object is obtained through the pageContext object. When creating a pageContext object, specify the size of the out buffer and whether the out buffer is automatically flush.
* Use the page instruction buffer autoFlush to set the size of the out cache and whether the cache is automatically flush.

What is the difference between response. getWriter and response?
Out. println ("aaa ");
Response. getWriter (). println ("bbb ");
Out. print ("ccc ");
Response. getWriter output content before output content

Page request session application response out config pageContext exception

What are the differences between JSP commands and JSP labels?
JSP command Directive
JSP tag Action

Six action tags in jsp
<Jsp: useBean> <jsp: setProperty> <jsp: getProperty> ----- learn about JavaBean operations tomorrow
<Jsp: include> <jsp: forward> <jsp: param>

<Jsp: include> the effect is equivalent to request. getRequestDispatcher (). include
<Jsp: forward> the effect is equivalent to request. getRequestDispatcher (). forward.

<Jsp: include> the tag function is equivalent to <% @ include %>
Principle: Dynamic inclusion
Syntax: <jsp: include page = "file path"/>

The contained page does not require complete html. You only need to write html fragments.

Difference between jsp: include and @ include
@ Include command, static inclusion. When jsp is translated as Servlet, the inclusion action is executed, and the result is the source code of the target page translation Servlet, which is translated into a Servlet and executed together.
Jsp include tag, dynamic include. The include action is completed when the index servlet is executed. The included result is the html page result generated by the target jsp translation Servlet. Each included jsp translation is executed by a separate Servlet.

<Jsp: forward page = "/demo11/B. jsp "> </jsp: forward> is equivalent to request. getRequestDispatcher ("/demo11/B. jsp "). forward (request, response );

<Jsp: forward page = "/demo11/B. jsp">
<Jsp: param value = "itcast" name = "name"/>
</Jsp: forward>
The preceding Code uses jsp to pass a parameter. If jsp is used to pass a parameter, it directly uses setAttribute

EL expression language, from the public. EL is incorporated into official specifications after Servlet2.4
Function:
1. EL obtains the data stored in the JSP within four ranges (access the attributes of JavaBean)
2. EL expressions support operations
3. 11 built-in EL objects-common web development objects
4. EL calls the java method

EL is included in the specification only from javaee1.4. javaee1.3 and earlier versions are not parsed by default.
* If you want to parse EL ------ In javaee1.3 and earlier versions, set the page attribute isELIgnored = false.

1. Use EL to obtain jsp data in four ranges
Use EL to specify four data ranges $ {pagination. attribute name }$ {requestScope. attribute name }$ {sessionScope. attribute name }$ {applicationScope. attribute name}
If the query data range $ {attribute name} is not specified, call pageContext. findAttribute to search in four ranges.
If the search property does not exist, an empty string instead of null is returned.

When obtaining arrays, lists, and maps, use [] to obtain attribute values.
What is the difference between. and?
Answer: Both. and [] can be used to obtain EL attribute values. You can achieve [] functions!
Example: $ {pagination. user. name} can also be written as $ {pagination. user ["name"]} (the object can be replaced by [] only when the object attribute is accessed after the object is obtained. effect)
[] Special identification information can be used, but .. No
For example:
PageContext. setAttribute ("0", "itcast ");
PageContext. setAttribute ("aa. bb", "Chunsheng ");
Access only through [] ----- Note: when using [] for attribute values, add "", without "" as a variable

When using EL for value, if the Special Envoy character attribute is included, try to use []; otherwise, use.

2. perform arithmetic, comparison, and logical operations in EL.
When EL executes an operation, the operation statement must be written to $ {}.
* When EL obtains the attribute value and performs arithmetic operations, the data type is automatically converted. When arithmetic operations are performed, the operation parameters must be numbers.
$ {"A" + "B"} ---- digit formatting error

Empty Operator
1) determine whether an attribute exists. Generally, the empty operator is used together with c: if.
2) use empty to determine whether List or Map is empty (size = 0)

Binary Expression: $ {user! = Null? User. name: ""} ----- ternary Operator

3. 11 built-in EL objects
PageScope requestScope sessionScope applicationScope four data ranges, used for Value

PageContext current jsp context ----- $ {pageContext. request. contextPath}

$ {Param. name} is equivalent to request. getParameter ("name ")
$ {ParamValues. holobby} is equivalent to request. getParameterValues ("holobby ")
$ {Header. referer} is equivalent to request. getHeader ("referer ")
$ {HeaderValues ["Accept-Encoding"]} is equivalent to request. getHeaders ("Accept-Encoding ")

$ {InitParam. name} is equivalent to getServletContext (). getInitParamter ("name ")

Cookie implicit object writing must be mastered
Cookie [] cookies = request. getCookies ();
If (cookies = null ){
Out. println ("cookie does not exist! ");
} Else {
For (Cookie cookie: cookies ){
If (cookie. getName (). equals ("address ")){
Out. println (cookie. getValue ());
}
}
}

Use EL :$ {cookie. address. value}

4. EL obtains data values and often needs to process the obtained data values ----- EL Function
Steps:
Step 1: Write java classes and provide static methods
Step 2: Write a tld file and define the function description in the tld file.

Sun provides an EL function library in jstl. This function can be directly used after importing the jar package of jstl.
1) Import jstl. jar
2) introduce the function library namespace in the JSP page
<% @ Taglib uri = "http://java.sun.com/jsp/jstl/functions" prefix = "fn" %>
* Define the EL function library in the META-INF/fn. tld in jstl. jar
3) sun provides the EL function library, which mainly provides 16 functions for string operations.
Syntax: $ {fn: toUpperCase ('asdasdsfsdf ')}

For outsourcing projects, jsp does not allow the definition of script elements <%> ----- the code effect must be achieved using the tag library and Expression Language <%>
Use jstl
1. Download jstl jar 1.0 1.1 1.2 from the official website
1.1 and 1.2 are basically the same as those proposed after Servlet2.4 (javaee1.4)
1.0 proposed before javaee1.3
* EL is included in the specification in javaee1.4. EL is not included in the specification in jstl1.0. By default, all 1.0 labels do not support EL's

2. Import jar packages
Jstl1.1 two jar jstl. jar standard. jar ----- jstl. jar interface API standard. jar code implementation
Copy two jar packages to the project/WebRoot/WEB-INF/lib directory

3. Use the taglib command to introduce the corresponding uri of the jstl tag library on the jsp page.
JSTL is divided into five categories: core tag fmt internationalized tag sqldatabase tag xml operation xml tag fn is EL function library
Because both database operations and xml operations write the code into the Servlet, the SQL tag library and xml tag library will not be learned.

Each tag library corresponds to a tld file in the jar/META-INF/
For example: c. tld is jstl1.1 version of The c-1_0.tld is jstl1.0 version label Library

<% @ Taglib uri = "http://java.sun.com/jsp/jstl/core" prefix = "c" %> Import 1.1
<% @ Taglib uri = "http://java.sun.com/jstl/core" prefix = "c" %> Import 1.0 does not support EL
<% @ Taglib uri = "http://java.sun.com/jstl/core_rt" prefix = "c" %> Import 1.0 supports EL
*/Jstl/demo. jsp (15, 0) According to TLD or attribute directive in tag file, attribute test does not accept any expressions

12 core tag library tags
1. c: out is used to output content to the page ------- to output EL value, provide default value, HTML Escape output function
2. c: set is used to set a variable or attribute ---- save a data to the four data ranges, and modify the attribute values of an existing object in the four data ranges.
3. c: remove is used to remove data from four data ranges.
4. c: catch is equivalent to a try -- catch code block ----- catch an exception and save the exception object to the specified page attribute.
5. c: if Replace page if condition judgment
6. c: choose c: when c: otherwise implement if -- else effect --- implement switch Effect
7. c: forEach achieves the foreach loop effect-Traversing arrays, lists, maps, controlling the sum of the specified number of cycles, and performing operations on special times
8. c: forTokens completes string Cutting
9. c: param cannot be used independently. It is usually used together with url-related labels and used together with c: url to complete Chinese encoding.
10. c: import the target page, save the content of the target page, and then use
11. c: url rewriting (cookie disabled on the client, URL rewriting and jSessionId splicing), and URL encoding for Chinese characters using param
12 c: The redirect tag is used for request redirection.

Commonly used: c: set c: if c: forEach c: url for Chinese url encoding c: redirect

Summary:
1. Relationship between JSP and Servlet
2. JSP Operating Principle
3. Three JSP script elements <%! %> <% = %> <%>
4. JSP comments
5. Differences between the page command contentType and pageEncoding
6. Configure web. xml on the error-friendly page
7. Differences between <% @ include %> and <jsp: include>
8. <jsp: forward> forwarding <c: redirect> Redirection
9. Use EL to obtain data. []
10. empty not used
11. $ {pageContext. request. contextPath} get the project name/day08 ----- $ {cookie. name. value} and quickly obtain the cookie value.
12. EL uses JSTL to provide the EL function library
13. JSTL distinguishes between 1.0 and 1.1.
14. Common core labels
C: set, c: if, c: forEach, c: url and c: param encoding, c: redirect

 

Can I use the following java code in the jstl and EL expressions to indicate that after repeated debugging, I found a strange problem.

Jstl is a JAVA standard tag Library
$ {}: This is an EL expression.
Two cannot be confused.

Your requirement here should be to randomly extract an attribute name from the array for the EL expression as the attribute name, which is generally to generate a random number within the length of the array, then use the $ method to get it. Remember that it is brackets.


For beginners of java web development, I don't know much about the content in jsp. Where should I learn?

When you are a beginner in java web, do not first learn the above figure. First, learn the simplest three combinations: Tomcat + JSP + Servelet.

You need to write the most primitive code, do not use any framework, including do not use: Struct, Spring, and so on.

After learning the principles of JSP + Servlet, you can use Struct again and use the figure above. At this time, you will know what <c: foreach> means? Why <c: foreach> is not an HTML tag, but it can be written on a JSP page.