在JSP页面上的注释代码会被执行吗?

huangapple go评论75阅读模式
英文:

Commented code on a JSP page gets executed?

问题

我已创建一个JSP页面来处理异常:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>

<div class="row">

    <div class="col-md-6 col-md-offset-3 col-sm-8 offset-sm-2 text-center">

        <div class="messageJsp">
            <c:out value="${message}" />
        </div>


        <!--<c:out value="${url}" />
        <c:out value="${exception.message}" />

        <c:forEach var="line" items="${exception.stackTrace}">
            <c:out value="${line}" />
        </c:forEach>
        -->

    </div>
</div>

我还有一个Java类,将有关异常的信息发送到那个JSP页面:

@ControllerAdvice
public class GlobalExceptionHandler {
    
    @Value("${message.error.exception}")
    private String exceptionMessage;

    @ExceptionHandler(value=Exception.class)
    public ModelAndView defaultErrorHandler(HttpServletRequest req, Exception e) {
        ModelAndView modelAndView = new ModelAndView();
        
        modelAndView.getModel().put("message", exceptionMessage);
        modelAndView.getModel().put("url", req.getRequestURI());
        modelAndView.getModel().put("exception", e);
        modelAndView.setViewName("app.exception");
        
        return modelAndView;
    }
}

出于测试目的,我故意向代码中添加了异常来测试这一点,我从JSP页面中被注释的代码中获取了所有信息,但我不明白为什么以及如何起作用,所以我希望能够得到解释:

注意:发生错误后,我会被重定向到错误页面,如果我右键单击页面->查看页面源代码,我可以在注释中看到我的已注释JSP代码实际上被执行并为我提供了信息(这很好,但我不明白是如何工作的)。

页面源代码可以在这里找到:Stacktrace comment

英文:

I have created a JSP page to deal with the exceptions:

&lt;%@ page language=&quot;java&quot; contentType=&quot;text/html; charset=ISO-8859-1&quot;
    pageEncoding=&quot;ISO-8859-1&quot;%&gt;
&lt;%@ taglib uri=&quot;http://java.sun.com/jsp/jstl/core&quot; prefix=&quot;c&quot;%&gt;

&lt;div class=&quot;row&quot;&gt;

	&lt;div class=&quot;col-md-6 col-md-offset-3 col-sm-8 offset-sm-2 text-center&quot;&gt;

		&lt;div class=&quot;messageJsp&quot;&gt;
			&lt;c:out value=&quot;${message}&quot; /&gt;
		&lt;/div&gt;
		
		
		&lt;!--
		
		Failed URL: &lt;c:out value=&quot;${url}&quot; /&gt;
		Exception Message: &lt;c:out value=&quot;${exception.message}&quot; /&gt;
		
		&lt;c:forEach var=&quot;line&quot; items=&quot;${exception.stackTrace}&quot;&gt;
			&lt;c:out value=&quot;${line}&quot; /&gt;
		&lt;/c:forEach&gt;
		
		 --&gt;
		
	&lt;/div&gt;
&lt;/div&gt;

And I also have Java class that sends info about exceptions to that JSP page:

@ControllerAdvice
public class GlobalExceptionHandler {
	
	@Value(&quot;${message.error.exception}&quot;)
	private String exceptionMessage;

	@ExceptionHandler(value=Exception.class)
	public ModelAndView defaultErrorHandler(HttpServletRequest req, Exception e) {
		ModelAndView modelAndView = new ModelAndView();
		
		modelAndView.getModel().put(&quot;message&quot;, exceptionMessage);
		modelAndView.getModel().put(&quot;url&quot;, req.getRequestURI());
		modelAndView.getModel().put(&quot;exception&quot;, e);
		modelAndView.setViewName(&quot;app.exception&quot;);
		
		return modelAndView;
	}
}

And for testing purposes I intentionally added exception to my code to test this and I'm getting all the information from the code that is commented out in the JSP page and I don't understand why or how that works so I was hoping if I could get explanation:

NOTE: After error happens I get redirected to error page and if I right click on page -> View page source I can see in the comment that my commented JSP code actually executed and provided info for me (which is great but I don't understand how)

Page source can be found here: Stacktrace comment

答案1

得分: 0

存在着 HTML 注释 (&lt;!-- --&gt;),其中的所有内容在服务器端执行。还有 JSP 注释 (&lt;%-- --%&gt;),它们是与代码相关的注释。因此,这使得你可以在 HTML 注释中输出作为代码执行结果的隐藏信息。

但是它也可以执行未预期的代码,这些代码被假定为已经被注释掉了。对于语法错误(例如 JSP 标签),情况也是类似的。

英文:

There exist html comments (&lt;!-- --&gt;) in which everything is executed at server side. And JSP comments (&lt;%-- --%&gt;) which are code relevant comments. So this allows you to output hidden info in HTML comments as result of code execution.

But it can also execute unintended code, assumed to be out-commented. The same holds for syntax errors (i.e. in JSP tags).

huangapple
  • 本文由 发表于 2020年9月22日 18:04:13
  • 转载请务必保留本文链接:https://go.coder-hub.com/64007441.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定