Re: JSP hacking

[Ben Galehouse <bgalehou () PACBELL NET>]

You need to treat JSP pages the way that you would servlet class files,
or perl modules. You can do _anything_ within <% %> tags. Load classes?
heck, write you own classes (inner classes, that is). Class.forName is
totally irrelevant.  If Class.forName("org.evil.BadClass") works,
org.evil.BadClass.class does the same thing.

They need to be protected and audited for all the same reasons that
servlets and perl modules need to be protected and audited. Personally,
I think good style demands that the bulk of the JSP be static (pull the
serious logic out into a servlet), so the auditing should be short.
JSPs are not intended to be safe from malicious coders.  Basically, you
can't give strangers access to write them, they are not 'safe' the way
static html is.

In theory, they could be run in a sandbox, using the java security
model.  I haven't a clue if this is done, or of they typically run with
the same access as the web-server's jvm.