Prevent XSS/Cross site scripting vulnerability – request.getParameter() in JSP


I am looking to remediate the JSP page which has multiple variable with request.getParameter(). Can you please suggest whats the replacement for this.

if(appStatusId == AppCon.DECLINED) {
                String VPC = request.getParameter(constants.PRODUCT_CODE);

String Make = request.getParameter(constants.VEH_MAKE);

String NewUsed = request.getParameter(constants.VEH_NEWUSED);


When handling untrusted user input (like the values from request.getParameter() you should always escape the input before displaying it.

Use a utility class like StringEscapeUtils (from Apache Commons Text) to escape the data instead of escaping it by your own.

For your example it would like this:

String myVariable = StringEscapeUtils.escapeHtml4(request.getParameter("myParameter")

You can find background information about escaping at the OWASP website C4: Encode and Escape Data

Answered By – Yeti

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published