A JSP quirk

In JavaServer Pages, expressions are escaped by “<%=” and “%>”. For example, <%= 1 + 1 %> would output 2.

On the Tomcat web server, JSP gets translated into a servlet. The above expression declaration is implemented as a translation into the following line of Java code embedded in a Servlet:

out.print( 1 + 1 );

According to the JSP specification, a translation error will occur if the expression inside the declaration is not well formed in the underlying language (i.e., is not a valid Java expression).

A fun quirk of JSP on the Tomcat server is that the following code doesn’t result in a compile error:

<%= ""); out.print("Hello, World!" %>

Obviously, ""); out.print("Hello, World!" is not a valid Java expression. However, Tomcat uses a superficial syntactic translation. Here’s what the above declaration looks like after translation:

out.print( ""); out.print("Hello, World!" );

This is valid Java, despite not being translated from a valid Java expression.

You shouldn’t and wouldn’t want to rely on this behavior. Instead, it is just a fun quirk that I like to use when teaching how JSP works under the hood.

Below is the full listing of a generated servlet containing only the invalid expression.

package org.apache.jsp;

import javax.servlet.*;
import javax.servlet.http.*;
import javax.servlet.jsp.*;

public final class test_jsp extends org.apache.jasper.runtime.HttpJspBase
    implements org.apache.jasper.runtime.JspSourceDependent {

  private static final JspFactory _jspxFactory = JspFactory.getDefaultFactory();

  private static java.util.List<String> _jspx_dependants;

  private org.glassfish.jsp.api.ResourceInjector _jspx_resourceInjector;

  public java.util.List<String> getDependants() {
    return _jspx_dependants;
  }

  public void _jspService(HttpServletRequest request, HttpServletResponse response)
        throws java.io.IOException, ServletException {

    PageContext pageContext = null;
    HttpSession session = null;
    ServletContext application = null;
    ServletConfig config = null;
    JspWriter out = null;
    Object page = this;
    JspWriter _jspx_out = null;
    PageContext _jspx_page_context = null;

    try {
      response.setContentType("text/html");
      pageContext = _jspxFactory.getPageContext(this, request, response,
                null, true, 8192, true);
      _jspx_page_context = pageContext;
      application = pageContext.getServletContext();
      config = pageContext.getServletConfig();
      session = pageContext.getSession();
      out = pageContext.getOut();
      _jspx_out = out;
      _jspx_resourceInjector = (org.glassfish.jsp.api.ResourceInjector) application.getAttribute("com.sun.appserv.jsp.resource.injector");

      out.print( ""); out.print("Hello, World!" );
      out.write('\n');
      out.write('\n');
    } catch (Throwable t) {
      if (!(t instanceof SkipPageException)){
        out = _jspx_out;
        if (out != null && out.getBufferSize() != 0)
          out.clearBuffer();
        if (_jspx_page_context != null) _jspx_page_context.handlePageException(t);
        else throw new ServletException(t);
      }
    } finally {
      _jspxFactory.releasePageContext(_jspx_page_context);
    }
  }
}

Published 19 November 2017 by Benjamin Johnston.