Check for the reserved sequence '#{' in JSP files

This rule flags the use of the '#{' sequence in JSP files. In JSP 2.1, the syntax #{} is now a reserved keyword. When older JSP files that contain the sequence #{} are used in JSP 2.1, they will generate an error.

In order to detect the #{ sequence the following conditions must be met:

• The servlet version (from web.xml) must be 2.4 or greater.
• The page does not have a directive of isELIgnored="true" set.
• The page does not map to a <url-pattern> in a <jsp-property-group> (from <jsp-config> in web.xml) with <el-ignored> set to true.
• The entry #{ is in a jsp template text.
• The entry is in a tag that is not a Java Server Faces (JSF) tag. The rule detects the JSF tags by comparing the tag prefix to the list of prefixes provided in the rule property called "Bypass tags using these prefixes". The default values of the bypassed JSF prefixes are: h,f,ui,facelet,composite,comp,ez.

Note the following items:

• The user should add any other JSF prefixes defined by their application in order for those tags to be ignored.
• The user should remove any entry from the prefix parameter if the prefix is used in the JSP pages, but not for a JSF tag.
• If a prefix is used as a JSF prefix in some cases, and as a normal JSP tag in other cases, the user should not include the prefix in the parameter list, and should manually examine each generated result.

An automated fix will add the escape character before the #{ syntax.

Example:

<h1>This is an example of template text that will be detected: #{detected}</h1>

The automated fix will change this code to:

<h1>This is an example of template text that will be detected: \#{detected}</h1>

There are also different ways to deactivate the Expression Language (EL):

• Page by page basis for all EL expressions: the Developer can specify the isELIgnored attribute of the JSP page directive and set its value to true
  For example:

  <%@ page isELIgnored ="true" %>

  
  This will turn off all the EL expressions for that page (i.e all ${exp} and #{exp} )
  
  
• Via JSP property group setting in web.xml: The developer can deactivate the EL for a single page, or several pages based on specific URL pattern by setting the el-ignored element to true
  For example:

  <jsp-property-group>     <url-pattern>*.jsp</url-pattern>     <el-ignored>true</el-ignored> </jsp-property-group>

  
  
  
• Via JSP property group setting in web.xml to deactivate only the EL deferred syntax (#{})
  For example:

  <jsp-property-group>     <url-pattern>*.jsp</url-pattern>     <deferred-syntax-allowed-as-literal>true</deferred-syntax-allowed-as-literal> </jsp-property-group>

  
  
  
• Page by page basis for only the EL deferred syntax by setting the deferred-syntax-allowed-as-literal attribute of the JSP page directive to true
  For example:

  <%@ page deferredSyntaxAllowedAsLiteral="true" %>

  
  
  

Note about precedence:
The isELIgnored and deferredSyntaxAllowedAsLiteral attributes of the page directive have precedence over the respective elements and values in web.xml. These page directive attributes override the values of the respective elements in web.xml.

For additional information, see:

• Unified Expression Language