== How to fix it in Java SE

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,java,diff-id=1,diff-type=noncompliant]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
    String location = req.getParameter("url");

    URL url = new URL(location);

    HttpURLConnection  conn = (HttpURLConnection) url.openConnection();
}
----

==== Compliant solution

[source,java,diff-id=1,diff-type=compliant]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
    String location = req.getParameter("url");

    List<String> allowedHosts = new ArrayList<String>();
    allowedHosts.add("https://trusted1.example.com/");
    allowedHosts.add("https://trusted2.example.com/");

    URL url = new URL(location);

    if (allowedHosts.contains(location))
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
}
----

=== How does this work?

include::../../common/fix/pre-approved-list.adoc[]

=== Pitfalls

include::../../common/pitfalls/starts-with.adoc[]