I am getting veracode vulnerability issue named "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" for the following code.
var planNumber = <%=request.getParameter("planNumber") %>;
var guid = "<%=trivisionApp.getCustomerGUID() %>";
Also there is another type of vulnerability issue named "CWE-201: Insertion of Sensitive Information Into Sent Data" for the below piece of code:
<script src="/acumepro/javascript/master2.js?v=<%=trivisionApp.getVersionNumber() %>" type="text/javascript"></script>
How to solve these vulnerability, I am currently working on JSP related project.
We can use Encode.forJavaScript() function under "org.owasp.encoder.Encode". Below is the demonstration:
<script src="/acumepro/javascript/master2.js?v=<%=Encode.forJavaScript( trivisionApp.getVersionNumber()) %>" type="text/javascript"></script>
var guid = "<%=Encode.forJavaScript(trivisionApp.getCustomerGUID()) %>";