In JavaServer Pages, expressions are escaped by “<%=” and “%>”.
For example, <%= 1 + 1 %> would output 2.
On the Tomcat web server, JSP gets translated into a servlet. The above expression declaration is implemented as a translation into the following line of Java code embedded in a Servlet:
out.print( 1 + 1 );
According to the JSP specification, a translation error will occur if the expression inside the declaration is not well formed in the underlying language (i.e., is not a valid Java expression).
A fun quirk of JSP on the Tomcat server is that the following code doesn’t result in a compile error:
<%= ""); out.print("Hello, World!" %>
Obviously, ""); out.print("Hello, World!" is not a valid Java expression.
However, Tomcat uses a superficial syntactic translation.
Here’s what the above declaration looks like after translation:
out.print( ""); out.print("Hello, World!" );
This is valid Java, despite not being translated from a valid Java expression.
You shouldn’t and wouldn’t want to rely on this behavior. Instead, it is just a fun quirk that I like to use when teaching how JSP works under the hood.
Below is the full listing of a generated servlet containing only the invalid expression.
package org.apache.jsp;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.servlet.jsp.*;
public final class test_jsp extends org.apache.jasper.runtime.HttpJspBase
implements org.apache.jasper.runtime.JspSourceDependent {
private static final JspFactory _jspxFactory = JspFactory.getDefaultFactory();
private static java.util.List<String> _jspx_dependants;
private org.glassfish.jsp.api.ResourceInjector _jspx_resourceInjector;
public java.util.List<String> getDependants() {
return _jspx_dependants;
}
public void _jspService(HttpServletRequest request, HttpServletResponse response)
throws java.io.IOException, ServletException {
PageContext pageContext = null;
HttpSession session = null;
ServletContext application = null;
ServletConfig config = null;
JspWriter out = null;
Object page = this;
JspWriter _jspx_out = null;
PageContext _jspx_page_context = null;
try {
response.setContentType("text/html");
pageContext = _jspxFactory.getPageContext(this, request, response,
null, true, 8192, true);
_jspx_page_context = pageContext;
application = pageContext.getServletContext();
config = pageContext.getServletConfig();
session = pageContext.getSession();
out = pageContext.getOut();
_jspx_out = out;
_jspx_resourceInjector = (org.glassfish.jsp.api.ResourceInjector) application.getAttribute("com.sun.appserv.jsp.resource.injector");
out.print( ""); out.print("Hello, World!" );
out.write('\n');
out.write('\n');
} catch (Throwable t) {
if (!(t instanceof SkipPageException)){
out = _jspx_out;
if (out != null && out.getBufferSize() != 0)
out.clearBuffer();
if (_jspx_page_context != null) _jspx_page_context.handlePageException(t);
else throw new ServletException(t);
}
} finally {
_jspxFactory.releasePageContext(_jspx_page_context);
}
}
}
Published 19 November 2017 by Benjamin Johnston.