Servlet reflected cross site scripting vulnerability

Question

I've analyzed a code with Findbugs and it reported a warning for

servlet reflected cross site scripting vulnerability.

Code is like that and the 3rd line throws the warning:

String tickName = request.getParameter("ticko");
PrintWriter w = response.getWriter();
w.println("Unable to perform tickonem '" + tickName +"' because no tick with that name is active!"); //this line throws warning.

What is the real reason for it and how to fix it?

Answer 1

Reason for that is appending user provided data to the response without any escaping. This is vulnerable to injecting javascript which will get executed in user browser. To avoid such vulnerabilities you should html escape every user supplied data before sending it back. You can use some existing libraries to perform escaping for you like for example StringEscapeUtils

Answer 2

Writing un-sanitised user data makes the application vulnerable to Cross side scripting attack. You can use this encoder library and modify your code like this:

import org.owasp.encoder.Encode;

String tickName = request.getParameter("ticko");
PrintWriter w = response.getWriter();
String responseString = Encode.forJava("Unable to perform tickonem '" + tickName + "' because no tick with that name is active!")
w.println(responseString); //this line now works correctly.