1- Whenever any error/exception occured,it unfortunately displays the system details with application architecture, like:ServletException:our jsp name with path etc.
2- Injection of data during applicatoin access. i.e when we login thru id 'abc', it should remain same till the end of sesssion,but how to prevent it from injection,so that any thirdparty should not change the login id.
3- Facing cross site script attack.. i.e it is being reflected back to the browser(user).
For 2nd issue, what I mean to say, if we are having Application access with particular user id, the Application should keep eye on that,the same user id is being used through out the access period.
For 3rd issue, please let me know how to tackle with Cross site scripting attack ?
I'm not quite following what you're trying to guard against. The userID is determined upon login, put into the session, and never changed after that. Why (or how) would the application use a different one? Any parameters passed in from the client are suspect, of course, and can't be trusted, but the userID is assigned by the server.
Are you asking how to replace certain substrings of a request parameter with certain other substrings before using/storing them? If so, check out regular expressions, especially the String.replaceAll method. Note that some of the characters involved are regexp special characters, so you need to escape them. The javadocs for the java.util.regex.Pattern class explain all about that.
what I want in my case,is to prevent the login id from getting change by anyone.
I am asking that, if we are showing some custom error message with dynamic data(like user id),. then it should not get affected with Cross site script attack. i.e "Following user id does not exist:<script>alert("")</script> "
How to prevent such kind of thing?