Hello *!
I'm trying my first steps with JSP at the moment. I think JSP is very
powerful tool for writing dynamic HTML pages. In my option in some
points to powerful. For instance an HTML author has the possibility to
include scripts written in Java. The scripts can do "anything". This
could be an security gap, because a JSP-generated servlet runs with
"shadow"-beans (proxies of the real application) and the real
application on the same JVM.
I belief an untrusted HTML author can write a JSP file which attacks the
application (Of course the hacker needs some more information about the
application.).
I would like to have the possibility to customize the "features" of the
JSP, for instance to prohibit scripting-centric tags or server side
includes. Do anyone know a implemention of JSP with such options?
I would be grateful for any information.
Regards,
Dirk Bracklow
--
--------------------------------------------------------------------------------
Dirk Bracklow S.E.S.A. GmbH Germany (http://www.sesa.de)
mailto:[EMAIL PROTECTED]
--------------------------------------------------------------------------------
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
