Using unvalidated values can expose an application to injection attacks. 


=== Noncompliant code example

[source,text]
----
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
  // ...
  Employee employee = new Employee();
  employee.setFirstName(request.getParameter("firstName")); // Noncompliant
  // ...

  save(employee); // Uh-oh!
----