codeG
Reputation: 15
Prevent XSS/Cross site scripting vulnerability - request.getParameter() in JSP
I am looking to remediate the JSP page which has multiple variable with request.getParameter(). Can you please suggest whats the replacement for this.
<%
if(appStatusId == AppCon.DECLINED) {
String VPC = request.getParameter(constants.PRODUCT_CODE);
%>
String Make = request.getParameter(constants.VEH_MAKE);
String NewUsed = request.getParameter(constants.VEH_NEWUSED);
Upvotes: 1
Views: 1945
Answers (1)
Yeti
Reputation: 1160
When handling untrusted user input (like the values from request.getParameter() you should always escape the input before displaying it.
Use a utility class like StringEscapeUtils (from Apache Commons Text) to escape the data instead of escaping it by your own.
For your example it would look like this:
String myVariable = StringEscapeUtils.escapeHtml4(request.getParameter("myParameter")
You can find background information about escaping at the OWASP website C4: Encode and Escape Data
Upvotes: 3
Related Questions
- reflected XSS : request.getParameter
- request.getParameter protect against XSS : what is the best practice?
- XSS HTTP parameter pollution and getQueryString()
- Protection against Cross site scripting on specific JSP and Servlet code
- submitting form still risks from XSS
- Cross Site Scripting issue on jsp input tag
- XSS issues: jsp and request parameters
- XSS Cross Site Scripting - on JSP input tag
- XSS attacks in jsp
- How to use getParameter in jsp the safe way