Johannes Schlüter

One more thing out of the category "Java annoys me": In Java you can declare an array like that:

String[] array_of_strings = { "foo", "bar", "baz" };

but you can't do that inside a func call

someMethod({ "foo", "bar", "baz" });

not even when using an explicit cast

someMethod((String[]){ "foo", "bar", "baz" });

A smart compiler should be able to create the same code for both, I agree this can be unreadable, but that should be my choice not the language's choice.</flame>

For a university project I have to develop a web based application using Java Enterprise Edition which will be based on Apache Tomcat. Afterdoing some initial setup on my development machine I did some simple tests to see whether everything works. So my first JSP file looked something like this:

Coming from web security I knew this being a XSS security problem since the user data is directly given to the output stream. Of course this is simple test code but as a self proclaqimed web security expert I havbe to think about such issues before even starting with implementation of the real app - even though the real app is just for university. So I browsed through the JEE documentation to find some method to encode HTML output so I asked a few friends with more Java experience and the only solution I found was using Apache Commons' org.apache.commons.lang.StringEscapeUtils which is no part of the JEE framework, a framework which was created with web apps in mind. How can that be? Are JSP based applications supposed to be unsafe? - And people say PHP was unsafe, which really was made for "solving the web problem" and offers all the things you need in it's core API.