I have to change the source code of my training application to validate only .jsp files from created allowlist. Currently, logic works but without validating pages and it looks like that:
<%
String somePage = "user";
if (request.getParameter("page") != null) {
somePage = request.getParameter("page");
}
%>
<jsp:include page="<%=\"sites/\"+somePage+\".jsp\"%>"/>
I need to create an allowlist including only files from subpackage of my webapp - 'sites': "user.jsp", "interface.jsp" and "tools.jsp". I tried something like this:
<%
String somePage;
if (request.getParameter("page") != null) {
somePage = request.getParameter("page");
}
%>
<c:if test="${somePage['page'] =='user' || somePage['page'] == 'interface' || somePage['page'] == 'tools'}">
<jsp:include page="<%=\"sites/\"+somePage+\".jsp\"%>"/>
</c:if>
I'm not sure if problem is my syntax or something totally different, could you please help me and indicate what is wrong and how should I modify the code?
You can just use
param.page
.