Code injection results from untrusted input being injected into dynamically constructed code. The javax.script package provides an API of interfaces and classes that define Java Scripting Engines and defines a framework for their use in Java code. An obvious example is the use of JavaScript from Java code. Misuse of the javax.script API permits an attacker to execute arbitrary code on the target system. Such errors are dangerous because violations of secure coding practices in dynamically generated code cannot be detected in advance through static analysis.
This guideline is a specific instance of IDS00-J. Sanitize untrusted data passed across a trust boundary.
Noncompliant Code Example
...