« Compression Filter... | Main | Feeling the love »
20030710 Thursday July 10, 2003

JSP 2.0 Article in July JDJ I got the July issue of JDJ today. In it I found a good article on JSP 2.0 (printable, less ads version). Things I learned from the article:

  • JSTL 1.1 will introduce 16 standardized EL functions:
    - fn:length(): Get the length of a collection or a string.
    - fn:toUpperCase(), fn:toLowerCase(): Change the capitalization of a string.
    - fn:substring(), fn:substringBefore(), fn:substringAfter(): Get a subset of a string.
    - fn:trim(): Trim whitespace from a string.
    - fn:replace(): Replace characters in a string.
    - fn:indexOf(), fn:startsWith(), fn:endsWith(), fn:contains(), fn:containsIgnoreCase(): Check if a string contains another string.
    - fn:split(): Split a string into an array.
    - fn:join(): Join a collection into a string.
    - fn:escapeXml(): Escape XML characters in a string.
  • The tag libraries in JSTL 1.1 have new URIs (for example, http://java.sun.com/jsp/jstl/core instead of the JSTL 1.0 equivalent http://java.sun.com/jstl/core_rt). The new JSTL 1.1 tag libraries accept request-time expressions for their attributes, and delegate to the JSP container to evaluate EL expressions.

Good stuff to know. I'm ready to start developing JSP 2.0 apps - I hope the Tomcat dev team releases a stable build soon. Or maybe I should just look into using Resin... Posted in Java at Jul 10 2003, 09:54:44 PM MDT 4 Comments

Comments:

Last time I tried Resin 3 it wouldn't even start up. Though that was a couple releases back... Just wanted to warn you.

Posted by Lance on July 11, 2003 at 07:48 AM MDT #

I've been seeing a lot of suggestions recently that all <c:out/> can/should be converted to bare EL on JSP 2.0 I recently converted an application to JSP 2.0 and found that there were very few cases where I could responsibly replace <c:out/> in this way. The reason is that bare EL does not escape xml characters, and this can have very undesirable side-effects when the variable being presented is data from a database, for example. ( cross site scripting attacks ) ${fn:escapeXml(var)} offers some relief, but ${var} alone is so rarely safe that that or <c:out/> are here to stay... unfortunately.

Posted by Ken Pelletier on January 30, 2004 at 07:47 PM MST #

I now realize that the markup examples I wrote above explaining the troubles with not escaping markup were themselves not escaped.... ironic. Firstly - in my haste I'd bookmarked another entry here specifically about automating conversion from the JSTL c:out tag to bare EL expressions. That's what I was meaning to respond to... The above comments are about just that, c:out should not be converted en masse to EL. It does not escape xml characters. While I'm here - Matt, your site has been a wonderful source of information to me. Thanks!

Posted by Ken Pelletier on January 30, 2004 at 08:07 PM MST #

<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%> when i put this, it shows this error: This absolute uri (http://java.sun.com/jstl/functions) cannot be resolved in either web.xml or the jar files deployed with this application' please help me.

Posted by hudz on October 06, 2006 at 01:26 AM MDT #

Post a Comment:
  • HTML Syntax: Allowed