after making submit to my data in html from ,servlet add these data to my db and forword a result msg to jsp page , i want to keep the values in the form after adding these info , is it sensible to make object in servlet and add all the parameters i recieve into and send it with request to jsp ?is there another better way ?
+1
A:
You could access request parameters by ${param}.
<input name="foo" value="${param.foo}">
...
<input type="radio" name="bar" value="a" ${param.bar == 'a' ? 'checked' : ''}>
...
<select name="baz">
<option value="b" ${param.baz == 'b' ? 'selected' : ''}>label</option>
...
<textarea name="boo">${param.boo}</textarea>
This basically prints request.getParameter("foo") as input value. This way the submitted value will be retained in the input elements.
However, this is sensitive to XSS attacks. You need to escape XML entities like <, >, ", ' to avoid them to get interpreted literally in the generated HTML output. JSTL's fn:escapeXml() is helpful in this.
<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
...
<input name="foo" value="${fn:escapeXml(param.foo)}">
...
<textarea name="boo">${fn:escapeXml(param.boo)}</textarea>
Of course, if you're using the MVC approach, you can also replace ${param.foo} by ${bean.foo}.
BalusC
2010-10-14 21:35:01
it works with text fileds but i what if i want to use it with <input type="radio > and the value is static for example :value="E" ?
Alaa
2010-10-14 22:42:28
Render `checked` conditionally. E.g. `${param.foo == 'E' ? 'checked' : ''}`. I updated the answer with some more examples.
BalusC
2010-10-14 22:44:45
it works thank you , about xss , i am trying to make filter for all parameters for all jsp pages , i think it could be easier than check each input , can i know ur opinion about that?
Alaa
2010-10-14 22:59:01
No, certainly don't do that. Do it during redisplaying user-controlled input only, the latest possible moment. Or adopt an existing robust and well-developed MVC framework like JSF. It will take care about this automagically.
BalusC
2010-10-14 23:06:52
can u tell me why not to use filter , do u mean that filter will slow the response of jsp requests ?and actually i didn't got what u mean with ' Do it during redisplaying user-controlled input only '?? do u mean check for each input?
Alaa
2010-10-14 23:32:20
Sanitizing XSS during request processing will cause trouble on long term as this is not the normal practice. Maintainability, reusability and portability of the app and the data will suffer from this. Do it during response processing only. With "during redisplaying user-controlled input" I just mean straight in the JSP, exactly as demonstrated in my answer. If you insist you can always do things differently, I am just warning for future regrets and waste of time.
BalusC
2010-10-14 23:33:05
Mr BalusC , escapeXml() doesn't work , script has been added to my db as is ,here is my work : <input type="text" name="userName" value="${fn:escapeXml(param.userName)}" /> ,and i read that it replace charchters that have special meaning in xml to their corresponding charachter entity code , does that mean instead of saving it in db as < it will be added as < ??
Alaa
2010-10-15 00:16:35
Scripts won't be executed in DB. This does absolutely not harm. This is perfectly fine. The `escapeXml()` will escape them when it's about to be redisplayed in HTML. Remove it and retest. You'll see that the script will be executed.
BalusC
2010-10-15 00:26:22