== Why is this an issue?

In cross-site scripting attacks, attackers insert attack scripts into your pages. Because no system is fool-proof, it may not be enough to screen the data that's submitted to an application. You should also escape any previously-stored content sent to the user so that any malicious code that may have escaped your input screening is neutralized. 


This rule checks values retrieved from a database or a parameter and passed to ``++HttpServletRequest.setAttribute()++``, ``++HttpSession.setAttribute()++``, ``++HttpServletResponse.sendError++``, and to the ``++write++`` method of the ``++PrintWriter++`` returned from ``++HttpResponse.getWriter()++``.


=== Noncompliant code example

[source,text]
----
public String getTaintedValue(Connection con, HttpServletRequest request) throws SQLException {

  PreparedStatement pstmt = null;
  String query = "select TAINTED_VALUE " +
                 "from TAINTED_VALUES where KEY=?"
  try {
    pstmt = con.prepareStatement(query);
    pstmt.setString(1, request.getParameter("key"));  // PreparedStatements escape their inputs, so this incoming value is okay
    ResultSet rs = pstmt.executeQuery();
    while (rs.next()) {
      request.setAttribute("taintedValue",rs.getString("TAINTED_VALUE"));  // Noncompliant; this value should be escaped before being sent back to the user.
----


include::see.adoc[]