Home > OS >  Prevent XSS/Cross site scripting vulnerability - request.getParameter() in JSP
Prevent XSS/Cross site scripting vulnerability - request.getParameter() in JSP

Time:12-08

I am looking to remediate the JSP page which has multiple variable with request.getParameter(). Can you please suggest whats the replacement for this.

 <%
if(appStatusId == AppCon.DECLINED) {
                String VPC = request.getParameter(constants.PRODUCT_CODE);
        %>


String Make = request.getParameter(constants.VEH_MAKE);

String NewUsed = request.getParameter(constants.VEH_NEWUSED);

CodePudding user response:

When handling untrusted user input (like the values from request.getParameter() you should always escape the input before displaying it.

Use a utility class like StringEscapeUtils (from Apache Commons Lang) to escape the data instead of escaping it by your own.

For your example it would like this:

String my Variable = StringEscapeUtils.escapeHtml4(request.getParameter("myParameter")

You can find background information about escaping at the OWASP website C4: Encode and Escape Data

Page link:https//www.codepudding.com/os/219387.html

Prev:Does returning mysqli_error() in console log pose website a security risk?
Next:Generate 200 data points drawn from a multivariate normal distribution with mean μ and covariance ma
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding