I am looking to remediate the JSP page which has multiple variable with request.getParameter(). Can you please suggest whats the replacement for this.
<%
if(appStatusId == AppCon.DECLINED) {
String VPC = request.getParameter(constants.PRODUCT_CODE);
%>
String Make = request.getParameter(constants.VEH_MAKE);
String NewUsed = request.getParameter(constants.VEH_NEWUSED);
CodePudding user response:
When handling untrusted user input (like the values from request.getParameter() you should always escape the input before displaying it.
Use a utility class like StringEscapeUtils (from Apache Commons Lang) to escape the data instead of escaping it by your own.
For your example it would like this:
String my Variable = StringEscapeUtils.escapeHtml4(request.getParameter("myParameter")
You can find background information about escaping at the OWASP website C4: Encode and Escape Data