Hi Remy,
> As I stated in the comments of the bug, I don't agree with your
> interpretation about the JSP displaying "code".
Sorry again for not making myself clear. To put it exact (I hope ...):
There are cases in complex include/forward scenarios where Tomcat serves
JSPs as static resources. So the *client browser* receives something like
this as plain text:
<%@page language="java" %>
<%
application.getRequestDispatcher("/html/test.html").forward(request,
response);
%>
<%-- possible harmful information like database login information etc. may
also appear here --%>
This was what I referred to as "JSP source code". After reading your comment
I noticed how ambiguous that was (sorry again). Now the question is: Is it
dangerous if the client sees a JSP including all embedded scriptlets? I'd
say yes since developers usually rely upon their Java/JSP code not visible
to clients (e.g. because database username and password
are stored there - and let's not argue whether this is good design ;-)).
Best regards
Andreas
PS Thanks for incorporating the patch that changes the shutdown order in
StandardContext.
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
