Reputation: 14280
I'm using getParameter to get content from URL to the page.
<p>name <%= request.getParameter("name") %></p>
What content schould I avoid (ex. script tags)?
How should I validate it?
I'm working in JSP.
EDIT:
For today I just strip html tags:
variable.replaceAll("\\<.*?>","");
Upvotes: 1
Views: 3097
Reputation: 240996
You should not use scriptlet in jsp its not good practise
<p>name <c:out value='${param.name}'/> </p>
you should take care of XSS attack c:out
will escape xml
To escape javascript injection you can Use StringUtils.escapejavaScript()
Upvotes: 1