Patched src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java

Author: patched.codes[bot]

src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java

@@ -95,10 +95,19 @@ else if (step.equals("done")){
 			content = "<h1>Request Out of Order</h1>"+
 			"<div width=\"99%\"><p>It appears that you attempted to skip or repeat some areas of this survey.  Please <a href=\"survey_questions.jsp\">return to the start page</a> to begin again.</p></div>";
 		} else {		
-			request.getSession().setAttribute("surveyStep", step);
+        String step = request.getParameter("step");
+        public String sanitizeInput(String input) {
+            return input.replaceAll("[^a-zA-Z0-9]", "");
+        }
+        String sanitizedStep = sanitizeInput(step);
+        request.getSession().setAttribute("surveyStep", sanitizedStep);
+
 		}
 		response.setContentType("text/html");
-		response.getWriter().write(content);
+		import org.owasp.esapi.ESAPI;
+		
+		String safeContent = ESAPI.encoder().encodeForHTML(content);
+		response.getWriter().write(safeContent);
 		response.getWriter().flush();
 
 	}