How to disable Scripting in all JSP
you can make it invalid for a JSP to have scripting elements (scriptlets,
Java expressions, or declarations) by putting a <scripting-invalid> tag in the DD:
<web-app ...>
...
<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<scripting-invalid>
true
</scripting-invalid>
</jsp-property-group>
</jsp-config>
....
</web-app>
Java expressions, or declarations) by putting a <scripting-invalid> tag in the DD:
<web-app ...>
...
<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<scripting-invalid>
true
</scripting-invalid>
</jsp-property-group>
</jsp-config>
....
</web-app>