Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#13725 closed Bug (invalid)

jsp scriplets and expressions are removed or replaced by the jsp output

Reported by: mike mike Owned by:
Priority: Normal Milestone:
Component: Server : Java Version: 4.5.3
Keywords: Cc:


I tested ckeditor with jsp files (with the ckeditor-java-core-3.5.3.jar) and it is very nice. Though there is a problem and wonder if you could assist please. I am not sure if it is a bug or a new feature.

The problem is that the jsp scriplets or expressions (<% ...%>, <%= ...%>) are either removed or replaced by the output of the jsp expression.


<%= 1+1 %> is replaced by "2"

<%= calcFunction() %> is removed

that way the resulted edited jsp file cannot be used any more.

On the other hand, if I add PHP tags, they get surrounded by HTML comments


<? php

echo "test";


is replaced by:

<!--? php echo "test"; ?-->

I wonder if I miss something.

Thank you.

PS. browser: Mozilla Firefox 38.2.0 OS: Linux SL 6 32bit ckeditor: 4.5.3 full plugin: ckeditor-java-core-3.5.3.jar

Attachments (1) (19.6 KB) - added by mike mike 9 years ago.
sample jsp and image with ckeditor version

Download all attachments as: .zip

Change History (8)

comment:1 Changed 9 years ago by mike mike

PPS. I was expecting that the jsp scriplets or expressions to remain unchanged from the original into the edited jsp file.

comment:2 Changed 9 years ago by mike mike

Type: TaskBug

comment:3 Changed 9 years ago by Jakub Ś

Keywords: jsp removed
Resolution: invalid
Status: newclosed

First of all, you might want to give a try to new version:, It is still under development but what is missing is mainly documentation (the code works). I recommend this version because it uses CKEditor 4.x by default which is compatible with e.g. IE11.

Second, please note that scriptlets and expressions are discouraged in favour of EL so you might consider it.

Now the problem. CKEditor is HTML editor and not any tags editor.

  1. I believe that comments around PHP tags are extra add-on.
  2. When you switch to source mode, enter <%= 1+1 %> and then switch back to wysiwyg mode (you will see <%= 1+1 %>) and then switch back to source mode again the expression is converted to <p>&lt;%=1+1%&gt;</p>. This is in correct behaviour and how that sort of data in editor should look like. You can decode it on server-side once editor contents are submitted.
  3. When you enter your edpressions directly into JSP, like shown below, please don't be suprrised that JSP expression gets evaluated on JSP page. This is normal and the fact is that this expression gets evaluated on server even beofre page starts loading.
    <textarea cols="80" id="editor1" name="editor1" rows="10"><%= 1+1 %></textarea>
  4. What can you do? Enter your scriptlets and expressions with brackets changed to entities. This will be compliant with current editor behaviour. Once page is done, send it to server and change entities to < > &. You will have to also remove P or BR tags around them or between them. A better approach would be entering expressions into pre tag (less to remove on server side) or creating a plugin where used enters code he wants and plugins either encodes some characters to entities or inserts code in HTML pre tag
    <textarea cols="80" id="editor1" name="editor1" rows="10">&lt;%=1+1%&gt;</textarea>
  5. If you are not convinced, please try below are remember that you should not let your users enter expressions that can have impact on server-side. These expressions should be encoded (visually they are ok and they won't do any harm)
    <textarea cols="80" id="editor1" name="editor1" rows="10"><% System.exit(0); %></textarea>

NOTE: if you can enter expression into editor and have it executed, please send me your JSP (reduced file showing only the problem with reproduction steps), I will have it checked.

Changed 9 years ago by mike mike

Attachment: added

sample jsp and image with ckeditor version

comment:4 Changed 9 years ago by mike mike

Thank you for your reply. I am not sure for the solution you mentioned: 4. "What can you do? Enter your scriptlets and expressions with brackets changed to entities." Please if you could clarify with an example if possible (what is brackets/entities?). Your example (also attached) with System.exit(0) is executing the code and it is not what is intended.

Please find attached two sample jsp with "jsp:expression" and "jsp:scriptlet" (I have replaced the "<% %>") that keep executing/replacing the code. I thought to write myself an encoding/decoding of the jsp tags before/after using ckeditor, which would work in the places that is for entering text (<body>CUSTOM_TAG</body> or <td>CUSTOM_TAG</td>) but that probably would not work inside the specification of the elements like a "form". For instance: <form action <%= someFunction() %> ... etc.></form> The encoded: <form action CUSTOM_TAG >) does not show in the source.

I think already use the latest ckeditor and "java-core".

Thank you.

comment:5 Changed 9 years ago by Jakub Ś

But you were given the example for point 4: Your JSP has to contain initial code for scriptlets and expressions encoded:

<textarea cols="80" id="editor1" name="editor1" rows="10">&lt;%=1+1%&gt;</textarea>

insead of

<textarea cols="80" id="editor1" name="editor1" rows="10"><%=1+1%></textarea>

The second part needs some explanation:

CKEditor is HTML editor and not any code editor. On one hand you can type scriptlets or expressions directly into editor content area. They won't be executed because they are encoded e.g. entering <%=1+1%> will result in &lt;%=1+1%&gt; when switching to source mode but there is another problem - JSP tags or scriptles or expressions are not HTML and will be treated as text (or removed by ACF if you use JSP tags) . This means that when entering code like <%=1+1%> you will get <p>&lt;%=1+1%&gt;</p>.

A correct implementation here would be to write a widgets for the parts of the markup that are not HTML. They would need to be decorated before the HTML is parsed by CKEditor (so in high prior editor#toHtml listener) and then turned into widgets.

<form action <%= someFunction() %>

You can enter the form like so <form action="&lt;%=someFunction()%&gt;">

I think already use the latest ckeditor and "java-core".

You have mentioned 3.5.3. This is latest stable but there is newer version 4 under development. This is the one I have recommended.

comment:6 Changed 9 years ago by mike mike

Thank you for your reply. Now it works. Before I edit a jsp with ckeditor, I replace the "<" and ">" by "&lt;" and "&gt;" as you mentioned. It does not allow double quotes inside jsp expressions or scriplets but this is not a problem since I can replace them by a java "String" defined outside the "editor1 textarea". Something which is not working is the HTML "<textarea>". Namely if I add a "<textarea id = "anId">...</textarea>" inside the ckeditor: "<textarea id = "editor1">...</textarea>", it throws some HTML elements (not the custom <textarea> but probably the last element in the editor) below and outside the editing window. I bypass this problem by commenting-out my custom "<textarea>" when editing with ckeditor (still I am using the latest stable 3.5.3). I do appreciate your time and assistance that you gave me and now I can use the ckeditor with my jsp fairly well. Thank you.

comment:7 Changed 9 years ago by Jakub Ś

CKEditor by default uses textarea element which is replaced by iframe. You can't nest one textarea into another. You should also escape that inner textarea before loading it into editor.

(still I am using the latest stable 3.5.3)

I would strongly recommend moving to 4.x. IMHO it works much better than 3.5.3 but choice is yours.

Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy