Previous web applications I have built always did user input and output validation within the servlets that handled the particular request (of course, using utility classes accessible to the servlets). But combining JSP and servlets can reduce the overhead of input/output validation, making work a lot easier.
Validation can be done one of two ways, depending on the need. JSTL-based validation involves embedding JSP tags in HTML and having the page handle its own validation. This may be fine for an application with a few [unrelated] pages, but problems arise when you scale to multiple pages that may need to validate the same kinds of information. The solution: use JavaBeans to validate user input. With such a solution, changes are made in the beans only when validation requirements change - pages would not need to be edited.
When would your use JSTL versus JavaBeans validation? If you are only checking that fields have been filled in with certain data or selections made in a form, JSTL is best. However, if validation involves using external resources such as databases and special formating requirements, JavaBeans are best.
To protect against cross-site scripting attacks, JSP offers a great output function <c:out> that converts quotes and such to their HTML code equivalents. For example, if output text contains the '<' character, the HTML would contain the characters "& l t ;".
JSP also introduces its own set of operators to help ease coexistance with XML. If you develop a JSP/XML solution, it can become a pain to determine which operators apply to what domain, humany speaking. So, JSP allows the use of 'and' for '&&' and 'eq' for '==', for example. Essentially, you can write a JSP page that does not use the usual operators for equality and comparison.
I like the fact that JSP pages have access to the request object just as a servlet would. You can access a parameter using the implicit param object in a JSP page; example <c:out value="${param.variable}"/> for singular parameters, or paramValues for collections.
Beyond parameters, you can also access the request object itself for information sent from a client browser using "${pageContext.request.xxxxx}", where 'xxxxx' is a variable name. Such information may include character encoding, content length, content type, local/remote addresses and ports, locales, protocols, schema, security, and request headers.
The real strength of JSP and input processing is its ability to absort all request parameters into a JavaBean in a couple of lines of code:
<jsp:useBean id="beanId" class="package.BeanClass">
<jsp:setProperty name="beanId" property="*" />
</jsp:useBean>
When the number of parameters change, you only need to change the bean's methods and add/remove control names in the JSP pages. For rhis to work, parameter names in JSP must match bean properties, by case.
For most basic form input validation, you only need to be aware of a small set of JSP contructs: <c:out>, <c:forEach>, <c:if>, <c:when>, <c:choose>, and <c:set>. These and other core JSTL contructs come standard with any servlet container that can process JSPs.