...
Using this method, the data specified in the loginID and password fields is not be interpreted as executable content at runtime.
| Wiki Markup |
|---|
In addition, OWASP \[[OWASP 05|AA. Java References#OWASP 05]\] recommends: |
This requires the following characters to be removed (ie prohibited) or properly escaped:
< > / ' = "to prevent straight parameter injection- XPath queries should not contain any meta characters (such as
' = * ? //or similar)- XSLT expansions should not contain any user input, or if they do, that you
comprehensively test the existence of the file, and ensure that the files are within the bounds set by the Java 2 Security Policy
Risk Assessment
Failing to validate user input may result in information disclosure and execution of unprivileged code.
...