How to use getParameter in jsp the safe way
Question
I'm using getParameter to get content from URL to the page.
<p>name <%= request.getParameter("name") %></p>
What content schould I avoid (ex. script tags)?
How should I validate it?
I'm working in JSP.
EDIT:
For today I just strip html tags:
variable.replaceAll("\\<.*?>","");
1 answers
solution1
1 ACCPTED 2011-02-02 08:01:56
You should not use scriptlet in jsp its not good practise
<p>name <c:out value='${param.name}'/> </p>
you should take care of XSS attack c:out will escape xml
To escape javascript injection you can Use StringUtils.escapejavaScript()
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
How use of getparameter in jsp function
Use of request.getParameter in JSP results in NullPointerException
How to use request.getparameter and response.redirect in jsp file to return username and password to JAVA CLASS
How to use getParameter in java for applet
Is there a way to request.getParameter for only POST variables in JSP?
JSP request.getParameter
jsp request.getParameter
JSP getParameter (IE problem)
How to use CXF client in thread safe way
JSP Servlet getParameter() giving null
Related Tags