HI,
I have a basic include where the filename is controlled by a request parameter:
<%String fileName = request.getParameter("param1")+".jsp"; %>
<jsp:include page="<%=fileName%>" flush="true" />
This works fine but I am rather worried about the security as some can easily edit the URL to something like this:
http://www.mysite.com/include.jsp?param1=../../../passwords
Does anyone have any good security techniques that would strip out anything in param1 that could potentially be rather dangerous?
Thanks