fix(appengine): removing obsolete symlink from java 8 on java 17 bundle services

[Kef131]

Description

Fixes #10242
Internal: b/496677589

This PR dereferences the symbolic links in the Java 17 App Engine bundled services module (appengine-java17-bundled-services) that previously pointed to the deleted/legacy appengine-java8 directory. By making these files self-contained, this module can run independently without relying on Java 8 code.

Additionally, this PR adds the missing JSTL dependency to the Java 17 pom.xml to resolve JSP runtime compilation errors (JasperException / ClassNotFoundException for guestbook_jsp) when running the development server locally with mvn appengine:run.

This PR dereferenced 32 Symbolic links on appengine-java17-bundled-services/datastore

Checklist

• I have followed Sample Format Guide
• pom.xml parent set to latest shared-configuration
• Appropriate changes to README are included in PR
• These samples need a new API enabled in testing projects to pass (let us know which ones)
• These samples need a new/updated env vars in testing projects set to pass (let us know which ones)
• Tests pass: mvn clean verify required
• Lint passes: mvn -P lint checkstyle:check required
• Static Analysis: mvn -P lint clean compile pmd:cpd-check spotbugs:check advisory only
• This sample adds a new sample directory, and I updated the CODEOWNERS file with the codeowners for this sample
• This sample adds a new Product API, and I updated the Blunderbuss issue/PR auto-assigner with the codeowners for this sample
• Please merge this PR for me once it is approved

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request migrates the App Engine Datastore guestbook application to the Java 17 runtime. The review identified a critical Cross-Site Scripting (XSS) vulnerability in the JSP file, a violation of the Post-Redirect-Get (PRG) pattern in the servlet, and a UX issue where the pagination link is displayed even when no further results are available.

I am having trouble creating individual review comments. Click here to see my feedback.

appengine-java17-bundled-services/datastore/src/main/webapp/guestbook.jsp (28)

The user-provided content is rendered directly in the HTML without escaping. This creates a Cross-Site Scripting (XSS) vulnerability. Use <c:out> or fn:escapeXml to safely render user input.

        <c:out value="${greeting.content}"/><br>

appengine-java17-bundled-services/datastore/src/main/java/com/example/appengine/AbstractGuestbookServlet.java (55-56)

After a successful doPost, the servlet forwards to the JSP instead of redirecting. This violates the Post-Redirect-Get (PRG) pattern, which can lead to duplicate form submissions if the user refreshes the page. Consider using a redirect after the greeting is appended.

    guestbook.appendGreeting(content);
    resp.sendRedirect(req.getRequestURI());

appengine-java17-bundled-services/datastore/src/main/java/com/example/appengine/ListPeopleServlet.java (88)

The "Next page" link is always displayed, even if there are no more results to fetch. This can lead to a poor user experience where clicking the link results in an empty page. You should only display the link if the number of results returned is equal to the PAGE_SIZE.

    if (results.size() == PAGE_SIZE) {
      w.println("<a href='/people?cursor=" + cursorString + "'>Next page</a>");
    }