czerasz
Reputation: 14280
How to use getParameter in jsp the safe way
I'm using getParameter to get content from URL to the page.
<p>name <%= request.getParameter("name") %></p>
What content schould I avoid (ex. script tags)?
How should I validate it?
I'm working in JSP.
EDIT:
For today I just strip html tags:
variable.replaceAll("\\<.*?>","");
Upvotes: 1
Views: 3097
Answers (1)
Jigar Joshi
Reputation: 240996
You should not use scriptlet in jsp its not good practise
<p>name <c:out value='${param.name}'/> </p>
you should take care of XSS attack c:out will escape xml
To escape javascript injection you can Use StringUtils.escapejavaScript()
Upvotes: 1
Related Questions
- Prevent XSS/Cross site scripting vulnerability - request.getParameter() in JSP
- request.getParameter protect against XSS : what is the best practice?
- JSP request.getParameter
- JSP request.getParameter string
- getParameter in servlet
- How to hide passed request parameters from the user?
- Securely passing parameters in JSP/Servlet (No Frameworks)
- JSP getParameters
- Request.getParameter with JSP
- How to get the get method parameters in jsp?