'CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) and CWE-201: Insertion of Sensitive Information Into Sent Data

I am getting veracode vulnerability issue named "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" for the following code.

var planNumber = <%=request.getParameter("planNumber") %>;
var guid = "<%=trivisionApp.getCustomerGUID() %>";

Also there is another type of vulnerability issue named "CWE-201: Insertion of Sensitive Information Into Sent Data" for the below piece of code:

<script src="/acumepro/javascript/master2.js?v=<%=trivisionApp.getVersionNumber() %>" type="text/javascript"></script>

How to solve these vulnerability, I am currently working on JSP related project.

Solution 1:^[1]

We can use Encode.forJavaScript() function under "org.owasp.encoder.Encode". Below is the demonstration:

<script src="/acumepro/javascript/master2.js?v=<%=Encode.forJavaScript( trivisionApp.getVersionNumber()) %>" type="text/javascript"></script>

var guid = "<%=Encode.forJavaScript(trivisionApp.getCustomerGUID()) %>";

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	Masoom Raza

'CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) and CWE-201: Insertion of Sensitive Information Into Sent Data

Solution 1:[1]

Sources

Related Questions

Solution 1:^[1]