We're using fortify to scan java source code & it is complaining below error:
Method abc() sends unvalidated data to a web browser on line 200, which can result in the browser executing malicious code.
We've below code on line 200:
<a href="<%= Util.getProduct(request) %>">Product</a>
And Util.java hsa below code in getProduct method:
String prod = request.getParameter("prod");
Can any one tell me how to fix this XSS vulnerability?
Thanks!
Answer
You need to escape the output of Util.getProduct(request). Typically this is done using JSTL and a <c:out> tag and EL:
<a href="<c:out value="${Util.getProduct(request)}"/>" class="left_nav_link">Product</a>
N.B. you'll have to use a fairly up-to-date implementation of EL (as per JSTL or JSP 2.0 EL for getter with argument and Parameters in EL methods) in order to pass an argument to the getter method.
Since the code in your question contains scriptlets, I will strongly suggest that you read How to avoid Java code in JSP files? This question covers reasons to use JSTL+EL instead of scriptlets, as well as a bit of information about what those two acronyms actually refer to.