czerasz
czerasz

Reputation: 14280

How to use getParameter in jsp the safe way

I'm using getParameter to get content from URL to the page.

<p>name <%= request.getParameter("name") %></p>


What content schould I avoid (ex. script tags)?
How should I validate it?

I'm working in JSP.

EDIT:
For today I just strip html tags:

variable.replaceAll("\\<.*?>","");

Upvotes: 1

Views: 3097

Answers (1)

Jigar Joshi
Jigar Joshi

Reputation: 240996

You should not use scriptlet in jsp its not good practise

<p>name <c:out value='${param.name}'/> </p>

you should take care of XSS attack c:out will escape xml

To escape javascript injection you can Use StringUtils.escapejavaScript()

Upvotes: 1

Related Questions