I'm using getParameter to get content from URL to the page.
<p>name <%= request.getParameter("name") %></p>
What content schould I avoid (ex. script tags)?
How should I validate it?
I'm working in JSP.
EDIT:
For today I just strip html tags:
variable.replaceAll("\\<.*?>","");
You should not use scriptlet in jsp its not good practise
<p>name <c:out value='${param.name}'/> </p>
you should take care of XSS attack c:out
will escape xml
To escape javascript injection you can Use StringUtils.escapejavaScript()
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.