javajspfile-inclusion

Dynamic JSP Inclusion - problems with preparing and validating allowlist


I have to change the source code of my training application to validate only .jsp files from created allowlist. Currently, logic works but without validating pages and it looks like that:

        <%
            String somePage = "user";
            if (request.getParameter("page") != null) {
                somePage = request.getParameter("page");
            }
        %>

        <jsp:include page="<%=\"sites/\"+somePage+\".jsp\"%>"/>

I need to create an allowlist including only files from subpackage of my webapp - 'sites': "user.jsp", "interface.jsp" and "tools.jsp". I tried something like this:

        <%
            String somePage;
            if (request.getParameter("page") != null) {
                somePage = request.getParameter("page");
            }
        %>

        <c:if test="${somePage['page'] =='user' || somePage['page'] == 'interface' || somePage['page'] == 'tools'}">
        <jsp:include page="<%=\"sites/\"+somePage+\".jsp\"%>"/>
        </c:if>

I'm not sure if problem is my syntax or something totally different, could you please help me and indicate what is wrong and how should I modify the code?


Solution

  • You can just use param.page.

    <c:if test="${param.page == 'user' || param.page == 'interface' || param.page == 'tools'}">