Issue
I am looking to remediate the JSP page which has multiple variable with request.getParameter(). Can you please suggest whats the replacement for this.
<%
if(appStatusId == AppCon.DECLINED) {
String VPC = request.getParameter(constants.PRODUCT_CODE);
%>
String Make = request.getParameter(constants.VEH_MAKE);
String NewUsed = request.getParameter(constants.VEH_NEWUSED);
Solution
When handling untrusted user input (like the values from request.getParameter() you should always escape the input before displaying it.
Use a utility class like StringEscapeUtils (from Apache Commons Text) to escape the data instead of escaping it by your own.
For your example it would like this:
String myVariable = StringEscapeUtils.escapeHtml4(request.getParameter("myParameter")
You can find background information about escaping at the OWASP website C4: Encode and Escape Data
Answered By – Yeti
This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0