Home/ Questions/Q 1073923
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T21:03:18+00:00

Traditionally we have always used xml in the response which is parsed by a

  • 0

Traditionally we have always used xml in the response which is parsed by a Javascript method to execute post processes. I came up with a new, simpler implementation which uses a hidden input set by a requestAttribute and executed in an ajax callback.

JSP:

<%
    String jsPostProcess = (String)request.getAttribute("jsPostProcess");
    if (jsPostProcess!=null && jsPostProcess.trim().length()>0){        
%>
        <input type="hidden" id="jsPostProcess" name="jsPostProcess" 
            value="<%= jsPostProcess %> "/>
<%  } %>

AJAX CALLBACK:

var callback = {
    success: function(response) {
        var div = $(divId);
        if (div){
            div.innerHTML = response.responseText;              
        }
        var jsPostProcess = $('jsPostProcess');
        if (jsPostProcess)
            eval(jsPostProcess.value);
    },
    failure: function(response) {
        alert('Something went wrong!');
    }
}

SERVLET CODE:

request.setAttribute("jsPostProcess", jsPostProcess);

It works beautifully, and it is so much simpler for adding js post processes to virtually any call no matter how simple or complex the functionality is. No need for customized js methods for parsing.

Curious if anyone could identify any potential problems with it (such as security issues?) or make any suggestions for other alternatives. We currently use Prototype and YUI 2 on the front-end.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First, there’s no need for that unpleasant scriptlet code:

    <c:if test='${not empty jsPostProcess}'>
  <input type='hidden' id='jsPostProcess' name='jsPostProcess' value='${jsPostProcess}'>
</c:if>

    Next thing is that I hope that somewhere before this point the “jsPostProcess” value has been scrubbed so that it doesn’t break the markup (like, in case it includes quotes).

    Just calling eval() on the value like that seems a little dangerous, though perhaps you know pretty well what it’s going to be.

    Finally I would offer the suggestion that as an alternative to that, if the “post process” code isn’t too big you could send it back in a response header. Then you wouldn’t have to drop any meaningless markup into your page.

    Oh, also finally: you might want to make the <input> be disabled. Or, alternatively, you don’t even have to use an input: you can use this trick:

    <script id='jsPostProcess' type='text/plain'>
  ${jsPostProcess}
</script>

    Because the “type” attribute is “text/plain” the browsers won’t try to execute that code, and you can get the “text” of the <script> element whenever you want.

    • 0