1

I am looking to remediate the JSP page which has multiple variable with request.getParameter(). Can you please suggest whats the replacement for this.

 <%
if(appStatusId == AppCon.DECLINED) {
                String VPC = request.getParameter(constants.PRODUCT_CODE);
        %>


String Make = request.getParameter(constants.VEH_MAKE);

String NewUsed = request.getParameter(constants.VEH_NEWUSED);
Improve this question

1 Answer 1

Reset to default
3

When handling untrusted user input (like the values from request.getParameter() you should always escape the input before displaying it.

Use a utility class like StringEscapeUtils (from Apache Commons Text) to escape the data instead of escaping it by your own.

For your example it would look like this:

String myVariable = StringEscapeUtils.escapeHtml4(request.getParameter("myParameter")

You can find background information about escaping at the OWASP website C4: Encode and Escape Data

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you this worked

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.