4
votes

I got fortify report which shows XSS Reflected defect from the below 2nd line.

String name = request.getParameter("name");

response.getWriter().write("Name: " + name);

Recommendation given: All user input displayed to web clients should HTML encoded and validated. This is java code and I am not sure about how to fix this.

1

1 Answers

7
votes

A simple way, you can just use the OWASP Enterprise Security API (Java Edition) :

 String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );

See those link:

OWASP Enterprise Security API (Java Edition) Documentation

OWASP Enterprise Security API (Java Edition) Code Example