How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) with error message?

Question

We use web control adapter in our login page. Recently we run VeraCode on our web application. In following function, we got CWE80, Improper Neutralization of Script-Related

Answer 1

A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.

Issue Code

strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message; LOGGER.info(strMessage);

Fixed Code

strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message; LOGGER.info(ESAPI.encoder().encodeForHTML(strMessage));

moredetail