include::../description.adoc[]


== Noncompliant Code Example

[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String xml = "<node id=\""+req.getParameter("id")+\"></node>";
  FileOutputStream fos = new FileOutputStream("output.xml");
  fos.write(xml.getBytes(Charset.forName("UTF-8")));  // Noncompliant
}
----

javax.xml.parsers.DocumentBuilder
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String xml = "<node id=\""+req.getParameter("id")+\"></node>";
  
  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
  DocumentBuilder builder = factory.newDocumentBuilder();
  Document doc = builder.parse(new InputSource(new StringReader(xml)));  // Noncompliant
}
----

== Compliant Solution

[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String id = req.getParameter("id");
  if(id.matches("^[A-Za-z0-9_]+$")) {
    String xml = "<node id=\""+id+\"></node>";
    FileOutputStream fos = new FileOutputStream("output.xml");
    fos.write(xml.getBytes(Charset.forName("UTF-8")));
  }
}
----

javax.xml.parsers.DocumentBuilder
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
    String xml = "<node></node>;
  
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    DocumentBuilder builder = factory.newDocumentBuilder();
    Document doc = builder.parse(new InputSource(new StringReader(xml)));  // Noncompliant
    Element element = (Element) doc.getElementsByTagName("something").item(0);
    element.setAttribute("id", req.getParameter("id"));
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]