Home > OS >  Prevent XSS/Cross site scripting vulnerability - request.getParameter() in JSP
Prevent XSS/Cross site scripting vulnerability - request.getParameter() in JSP

Time:12-08

I am looking to remediate the JSP page which has multiple variable with request.getParameter(). Can you please suggest whats the replacement for this.

 <%
if(appStatusId == AppCon.DECLINED) {
                String VPC = request.getParameter(constants.PRODUCT_CODE);
        %>


String Make = request.getParameter(constants.VEH_MAKE);

String NewUsed = request.getParameter(constants.VEH_NEWUSED);
    

CodePudding user response:

When handling untrusted user input (like the values from request.getParameter() you should always escape the input before displaying it.

Use a utility class like StringEscapeUtils (from Apache Commons Lang) to escape the data instead of escaping it by your own.

For your example it would like this:

String my Variable = StringEscapeUtils.escapeHtml4(request.getParameter("myParameter")

You can find background information about escaping at the OWASP website C4: Encode and Escape Data

  • Related