Vulnérable ou pas ?

<div>
    Hi <?php echo $_GET['user']);?>
</div>
Vulnérable
Non vulnérable
<script>
    document.write("Query : " + decodeURI(window.location.search));
</script>
 
Vulnérable
Non vulnérable
public void doGet(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
   String p1 = StringEscapeUtils.escapeHtml(req.getParameter("p1"));
   PrintWriter out = resp.getWriter();
   out.write("<html><body>your param : " + p1 + "</body></html>");
 }
 
Vulnérable
Non vulnérable
<table>
  <c:forEach var="book" items="$">
    <tr><td>${book.author}</td></tr> 
  </c:forEach>
</table>
Vulnérable
Non vulnérable
Quels sont les solutions recommandées
Les fonctions de nettoyage natives (Corps de document uniquement)
Les fonctions de nettoyage natives (javascript)
Les moteurs de template (Twig/Thymleaf) hormis javascript
Les content security policy
Les conversion en types simples /les listes fermées
{"name":"Vulnérable ou pas ?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Hi , document.write(\"Query : \" + decodeURI(window.location.search)); , public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String p1 = StringEscapeUtils.escapeHtml(req.getParameter(\"p1\")); PrintWriter out = resp.getWriter(); out.write(\"your param : \" + p1 + \"\"); }","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}
Powered by: Quiz Maker