Java Reference
In-Depth Information
avoid vulnerabilities caused by data that bypasses validation. See
The CERT
®
Oracle
®
Secure Coding Standard for Java
™
[Long2012],“IDS01-J.Normalizestringsbeforeval-
idating them,” for more information.
Noncompliant Code Example
This noncompliant code example uses the model-view-controller (MVC) concept of the
Java EE-based Spring Framework to display data to the user without encoding or escap-
ing it. Because the data is sent to a web browser, the code is subject to both HTML injec-
tion and XSS attacks.
@RequestMapping("/getnotifications.htm")
public ModelAndView getNotifications(
HttpServletRequest request, HttpServletResponse response) {
ModelAndView mv = new ModelAndView();
try {
UserInfo userDetails = getUserInfo();
List<Map<String,Object>> list =
new ArrayList<Map<String, Object>>();
List<Notification> notificationList =
NotificationService.getNotificationsForUserId(
userDetails.getPersonId());
for (Notification notification: notificationList) {
Map<String,Object> map = new HashMap<String, Object>();
map.put("id", notification.getId());
map.put("message", notification.getMessage());
list.add(map);
}
mv.addObject("Notifications", list);
} catch (Throwable t) {
// Log to file and handle
}
return mv;
}
