Reputation: 13002
Using JSP as template parsing engine - security concerns
I have a question regarding the JSP template parsing engine.
What I'm building at the moment is something which allows clients to write their own templates in JSP (inside a textarea on a webpage) which can then be used for email, landing pages, etc.
Can JSP tags / scriptlets be used to access data other than that made available through ${variables} which I set in the HttpRequest ?
In other words, would giving clients direct access to a JSP template engine pose a security risk, and if so, can I turn on / off certain JSP tags that poses a security risk?
Upvotes: 0
Views: 146
Answers (1)
Reputation: 18224
JSPs are tightly bound to HTTP request lifecycle. JSPs are directly compiled into Java classes implementing HttpServlet. With scriptlets you would introduce pretty obvious security hole into your system (JSP authors can write and execute arbitrary Java code on your server).
TL;DR JSPs are pretty bad choice for your use-case. Use templating engine which is not based purely on HTTP requests (String Template, Freemarker, ...).
Upvotes: 1
Related Questions
- Securely passing parameters in JSP/Servlet (No Frameworks)
- non-servlet JSP
- How to protect my jsp page from direct access
- Can a JSP template be used from within Java?
- Security flaws : How to avert them?
- security functions
- How secure are classes used by JSP Pages?
- JSP - separating Java from HTML
- XSS attacks in jsp
- Security comparison between JSP and ASP.Net