Do not operate on unvalidated or untrusted data (also known as tainted data) in a doPrivileged() block. An attacker can supply malicious input that could result in privilege escalation attacks. Appropriate mitigations include hardcoding values rather than accepting arguments (when appropriate), or validating (a.k.a. sanitizing) date data before the privileged operations.
...