As per one security flaw in security scan Input Validation : We have to validate input is number or not .
Use below code for same
<jsp:forward page="AccessError.jsp">
<jsp:param name="storeId" value="${WCParam.storeId}" />
<jsp:param name="langId" value="${WCParam.langId}" />
<jsp:param name="catalogId" value="${WCParam.catalogId}" />
</jsp:forward>
Solution used was:
<c:set var="storeId"> <c:if test="${WCParam.storeId.matches('[0-9]+')}">
<c:out value="${WCParam.storeId}"/>
</c:if></c:set>
FYI, WCS provide OOO option. you can achieve this using WhiteListProtection in wc-server.xml
ReplyDeleteHere is the sample
WhiteListProtection enabled="true" name="WhiteListProtection" display="false"
param name="storeId" regex="[-]?[0-9]*
param name="langId" regex="[-]?[0-9]*
param name="catalogId" regex="[-]?[0-9]*