1. Introduction
In practice, we see that the request for statistics and exporting data in a certain format is very common. For example, we receive requests to export customer statistical reports, sales invoices, purchase invoices, etc. This requires people (especially programmers) to create software. You can flexibly create templates to export data to according to each specific situation and requirement. You may immediately think of the solution as using Word, Excel, ..., however this solution is not suitable for large amounts of data that can change continuously and develop in a short time, while It also requires paying software fees and data processing time is not optimal.
Currently there is a quite popular solution - the JasperReports library that many programmers prefer to use.
In particular, this library is open source and has a free version. You can access its source code at: https://github.com/TIBCOSoftware/jasperreports
2. Instructions for use
There are many instructions on how to use this library online, so I won't write in detail here.
If you use Eclipse, JasperReports has an additional plugin to help you create report templates.
In this article, I will guide you to use it on IntelliJ IDEA, the library manager is maven.
First, you need a template to fill in data (like orders, invoices, etc.). To do this, please download and install Jaspersoft Studio software (the latest Community version link is currently https://community.jaspersoft.com/files/file/19-jaspersoft®-studio-community-edition /?do=getNewComment).
After installing and opening, the software will have the following interface:
To create a new template, go to File -> New -> Jasper Report. In the All section, choose Blank A4 (or another template you like:>).
Click Next, project where to save the file. Click Next -> Next -> Finish. The new interface that appears is the template screen, where you can freely design according to your template.
On the right are objects supported by the library.
Suppose I have to create a simple purchase invoice form with title and item name. I will drag and drop the "Static text" object into the template and enter the name "PURCHASE INVOICE" (you can adjust the format yourself in the right corner of the screen).
Next, I drag 2 more objects like that but make the item categories below "Books" and "Pens".
Next I have to add the prices of these 2 items. This value is dynamic so I have to include a variable here (this is also a quite interesting and flexible feature of this library). In the outline section, Parameters section, right-click and select "Create Parameter". Then I modified the value of this variable in the right corner window, the variable name is book and the data type is real number.
Then I dragged and dropped it next to the "Book" label. Same with the variable "pen", and the total amount. Here the total amount of money you can assign is equal to the sum of the variables "book" and "pen".
After completing the template, it will look like this
You switch to the source tab, and this is the data that the system will process. Basically, Jasper Report will receive input data in a file format similar to XML, but the tag names will be pre-defined by the library. For example, the opening and closing tags of the superclass of the entire file must be the "jasperReport" tag. Here are some template symbols that you must pay attention to:
After you're done, you can start copying this file into your project to fill in the data and process it.
Then you proceed to import the following library:
<dependency>
<groupId>net.sf.jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>6.21.0</version>
</dependency>
<dependency>
<groupId>net.sf.jasperreports</groupId>
<artifactId>jasperreports-fonts</artifactId>
<version>6.21.0</version>
</dependency>
Continue to write code to import files and fill data.
final String outputFilename = "report.pdf";
Files.deleteIfExists(new File(outputFilename).toPath());
InputStream inputStream = Main.class.getResourceAsStream("/report.jrxml");
Map<String, Object> parameters = new HashMap<>();
parameters.put("book", 55000);
parameters.put("pen", 11111.1111);
JasperReport jasperReport = JasperCompileManager.compileReport(inputStream);
JasperPrint jasperPrint = JasperFillManager.fillReport(jasperReport, null, new JREmptyDataSource());
JasperExportManager.exportReportToPdfFile(jasperPrint, outputFilename);
Here, because we fill directly, we can use the Map class. If you want to fill data from datasource (Database, ...), you can refer to (https://www.baeldung.com/spring-jasper).
The results are as follows
3. Safe programming
Because in the process of rendering this template, the library also executes functions inside it, so if users can customize template tags, attackers will add malicious tags that can execute commands. This error is quite similar to SSTI.
Suppose users are allowed to edit directly into the template. Source code is as follows:
final String outputFilename = "out.pdf"; Files.deleteIfExists(new File(outputFilename).toPath()); String input = ""; String template = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<jasperReport xmlns=\"http://jasperreports.sourceforge.net/jasperreports\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://jasperreports.sourceforge.net/jasperreports http://jasperreports.sourceforge.net/xsd/jasperreport.xsd\" name=\"z\" pageWidth=\"500\" pageHeight=\"1200\" columnWidth=\"270\">\n" + input + "</jasperReport>"; InputStream inputStream = new ByteArrayInputStream(template.getBytes()); JasperReport jasperReport = JasperCompileManager.compileReport(inputStream); JasperPrint jasperPrint = JasperFillManager.fillReport(jasperReport, null, new JREmptyDataSource()); JasperExportManager.exportReportToPdfFile(jasperPrint, outputFilename);
Attacker fills in malicious functions to take control of the system:
String input = "<parameter name="cmd">
<p>As a result, the command is executed. The file "out.pdf" has the following content:</p>
<p><img src="https://img.php.cn/upload/article/000/000/000/173597147572303.jpg" alt="Giới thiệu căn bản về thư viện JasperReports"></p>
<p>So programmers must also be careful not to let users enter content directly into the template.<br>
In addition, this library also has vulnerabilities in older versions (<em>CVE-2018-18809, CVE-2022-42889</em>, ...), when programming we should note that we should use the latest version. and updated regularly.</p>
The above is the detailed content of Basic introduction to JasperReports library. For more information, please follow other related articles on the PHP Chinese website!
vscode Chinese setting method
jquery implements paging method
oracle cursor usage
Why Windows cannot access the specified device path or file
Introduction to interface types
What does unsigned integer mean?
Web page editing software
The difference between JD.com's self-operated and official flagship stores
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
