3.4 Tips for Creating JSPs

When specifying merge and error UI Pages and other files on the file system, be sure to use the proper case so that your tasks can run on platforms that are case sensitive.

The MVStringEditor widget should be used in most cases where multiple strings or DNs are being edited. It works for browser and simple UI Pages. It has modes for showing on a single line and as a list box. It automatically shows the search when editing a DN list. It allows the user to type values for adding instead of forcing the user to search in DN mode. For more information, see Section 6.3, The MVStringEditor Widget.

To use bold text for part of a message when using GenConf and GenErr, use the eMFrameUtils.setMessage() method that takes the plainText and boldText parameters. For the plainText String, use {0} for the position of the bold text.

We suggest that all JSPs include the <iman:eMFrameScripts /> tag from the iManager tag library at the top to make future changes more compatible. This file contains methods for encoding and decoding as well as other miscellaneous utility methods. It also includes method for packing an array of strings into one string to be sent across the wire and then unpacking them. The com.novell.emframe.dev.eMFrameUtils class contains pack and unpack methods you can use in your Java code.

3.4.1 Encoding Data Using Tag Libraries

Typically, a JSP retrieves, displays, sends, and otherwise deals with data, which often contains characters that are incompatible with the languages and protocols that are part of the iManager architecture. To avoid errors, you need to make sure that data is correctly converted or escaped. It is usually best to perform all data manipulation in the JSP and none in your Java code, thereby separating the display and use of the data from your business logic.

Novell recommends using tag libraries for accessing data in your JSPs. Tags such as as c:out and x:out perform XML encoding automatically. So when you are displaying data in a table or on a page, the encoding is taken care of for you. For example:

 <c:out value="${myData}" />
 

Encoding Data in URLs

When you insert data into a URL (for example, in an href), it must be properly encoded. To do this, turn off XML-encoding and use the iman:urlEncode tag to encode it. For example:

 <a href="frameservice?myData=<iman:urlEncode><c:out value="${myData}" escapeXml="false" /></iman:urlEncode>"
 

Encoding Data in JavaScript

When you insert data into a JavaScript context, it must be properly encoded. To do this, turn off XML-encoding and use the iman:toScript tag to encode it. This automatically escapes backslashes, quotes, new lines, etc.

 <script>
       var a = "<iman:toScript ><c:out value="${myData}" escapeXml="false"/></iman:toScript>";
 </script>
 

3.4.2 Encoding Data Using Java Methods

Novell discourages using Java code to encode data in your Java classes or JSPs. However, if circumstances require you to use Java methods to encode data, it is possible, although significantly more complex, than using tag libraries.

The com.novell.emframe.dev.eMFrameUtils class contains methods for translating data. These methods are described in the following table:

Table 3-2 com.novell.emframe.dev.eMFrameUtils class data translation methods

Utility Method

Description

toTag(String)

Translates strings for inclusion in the tag portions of your HTML code. Characters that are part of the HTML syntax are translated to entities like &lt; so that they do not confuse the HTML parser.

urlEncode(String) urlEncode(String, String) urlEncode(String, PluginContext)

Translates query parameters on the URL links for transmission across the network. Spaces are translated to plus signs (+), and other characters are translated into three-character sequences like “%xx.”

toDisplay(String)

Translates strings that are displayed to the user. New line characters are converted to <br>, multiple spaces are converted to &nbsp;, and characters that are part of the HTML syntax are translated to entities like &lt; so that they do not confuse the HTML parser.

toScript(String)

Escapes quotes, apostrophes, and backslashes in strings that are placed in JavaScript code. The toScript routine places a backslash in front of these characters.

xmlEncode(String)

Escapes characters that are part of the XML syntax. These characters are translated to entities like &lt; so that they will work properly with XML parsers.

Encoding in JSP or HTML Code

The following table shows HTML attributes and other parts of an JSP/HTML document where dynamic data is often inserted. For each of these, the table shows the utility method that should be used to encode the data and example. In the examples, the data is represented by a String-type variable named var.

The following elements do not need to be encoded:

  • taskId

  • image names

  • UI page names

  • template names

Table 3-3 JSP/HTML document components that accept dynamic data

HTML

Method

Example

action=””

urlEncode()

<%= eMFrameUtils.urlEncode(var) %>

alt=””

toTag()

<%= eMFrameUtils.toTag(var) %>

href=””

urlEncode()

<%= eMFrameUtils.urlEncode(var) %>

onClick=””

toTag()

<%= eMFrameUtils.toTag(var) %>

onClick=”javascript:”

toTag(toScript())

<%= eMFrameUtils.toTag(eMFrameUtils.toScript(var)) %>

onLoad=””

toTag()

<%= eMFrameUtils.toTag(var) %>

onLoad=”javascript:”

toTag(toScript))

<%= eMFrameUtils.toTag(eMFrameUtils.toScript(var)) %>

src=”URL”

urlEncode()

<%= eMFrameUtils.urlEncode(var) %>

src=”directory path”

toTag()

<%= eMFrameUtils.toTag(var) %>

value=”” tag

toTag()

<%= eMFrameUtils.toTag(var) %>

window.location=url

toScript()

<%= eMFrameUtils.urlEncode(var) %>

javascript var=””

toScript()

<%= eMFrameUtils.toScript(var) %>

Strings in HTML body

toDisplay()

<%= eMFrameUtils.toDisplay(var) %>

Encoding for JavaScript (Non-JSP)

If a string is included in a URL, it must be encoded before it is transmitted to the server. This causes special characters like commas, colons, quotation marks, plus signs, and spaces, which have special significance to the URL parser, to be encoded into a three-character string, such as %2B, that has no significance to the URL parser.

Some browsers cannot handle spaces in parameters, so you must encode parameters that include only spaces as well as strings that include the other special characters. All <href> and <action> data is automatically unencoded when it reaches the server. To encode for JavaScript, include eMFrameScripts in your header and call the urlEncode() method. Use the iman tag library to include eMFrameScripts:

 <%@ taglib uri="/WEB-INF/iman.tld" prefix="iman" %>
 <HEAD>
   . . .
   <iman:eMFrameScripts/>
 </HEAD>
 

eMFrameScripts also includes urlDecode, toDisplay(), and toScript() functions.

Do not use the standard JavaScript escape and unescape methods. They do not work when using UTF-8.

Posting Data Through <input> Fields

Information passed back and forth between the client and web server by way of form <input> fields (whether hidden or not) do not need to be URL encoded before transmission to the server because they are not automatically decoded on arrival at the web server. Only action, href, window.location, and src="url" tags need to be URL encoded.

Using JavaScript in href Tags

Different browsers are not consistent in the way they handle URL encoded strings when they are passed to JavaScript routines. Internet Explorer completely decodes strings before sending them to the JavaScript routine. Netscape does nothing with the strings. To avoid using browser-specific code, do not use the following syntax:

 <a href="javascript:<functionName>('<%= Utils.urlEncode(var) %>')" >
 

Use the following syntax instead:

 <a href="#" onClick="javascript:<functionName>('<%= Utils.toTag(Utils.toScript(var)) %>');return false">
 

Using href="#" instructs the browser to not go anywhere when the link is accessed. The onClick processing is then used to decide what to do when the link is clicked.