How can I disable JSP scripting in JSP 2.0 tag files

I want to disable scriptlets and expressions in JSP 2.0 tag files. I have successfully disabled scriptlets and expressions in the JSP files themselves, but I am still able to use scriptlets in the tag files that used from the JSPs.

I have tired this in the web.xml but it has no effect:

<js开发者_开发技巧p-config>
    <jsp-property-group>
        <url-pattern>*.tag</url-pattern>
        <scripting-invalid>true</scripting-invalid>
    </jsp-property-group>
</jsp-config>

The above works for JSP files (if the url-pattern is changed to *.jsp) but does not seem to work for tag files.

All my tag files do match the pattern *.tag.

I am using Apache Tomcat 6.0.32.

Just to be clear JSP scriptlets and expressions are the evil inline Java code that we should be doing without these day, for example:

<% scriptlets %>
<%= expression %>

Many thanks.

I think i have the same problem: i wanted to use a include-prelude feature for a .tag file and i configured the option group the same way as you did.

I found the responsible code in tomcat source code in JspConfig.findJspProperty() (at least in my tomcat 7.0.22):

// JSP Configuration settings do not apply to tag files
if (jspProperties == null || uri.endsWith(".tag")
            || uri.endsWith(".tagx")) {
        return defaultJspProperty;
}

The defaultJspProperty is defined like this:

defaultJspProperty = new JspProperty(defaultIsXml,
        defaultIsELIgnored,
        defaultIsScriptingInvalid,
        null, null, null,
        defaultDeferedSyntaxAllowedAsLiteral, 
        defaultTrimDirectiveWhitespaces,
        defaultDefaultContentType,
        defaultBuffer,
        defaultErrorOnUndeclaredNamespace);

where defaultIsScriptingInvalid is null and for mye the prelude is directly specified as null parameter.

This explains our problem but i coudln't find the reason why it is implemented this way...

Try
1. Redeploy the application.
2. Cleaning the module work directory.
3. Clear the browser cache.