How to use getParameter in jsp the safe way
I'm using getParameter to get content from URL to the page.
<p>name <%= request.getParameter("name") %></p>
What co开发者_Python百科ntent schould I avoid (ex. script tags)?
How should I validate it?
I'm working in JSP.
EDIT:
For today I just strip html tags:variable.replaceAll("\\<.*?>","");
You should not use scriptlet in jsp its not good practise
<p>name <c:out value='${param.name}'/> </p>
you should take care of XSS attack c:out
will escape xml
To escape javascript injection you can Use StringUtils.escapejavaScript()
精彩评论