Prevent exposure of sensitive data against PCI standards - response.getWriter().write(xml.toString())

Question

I am fixing code against the code audit report. It says \"PREVENT EXPOSURE OF SENSITIVE DATA\" against the line having the syntax response.getWriter().write(xml.toString()

Answer 1

As I have told in my comment, I do not thing that the comment has something to do with the code itself but with the exposure of sensitive data. I have read the PCI-DSS document and I don't remember it says anything about how something it should be coded (regardless good practices). You can take a look to all PCI documentation available by yourself. It is a hard task, a better approach would be to try to find out what the consultant meant.

It is really difficult to fix something when you don't know where the problem is.

Answer 2

The content.toString() needs to be properly validated. use ESAPI to validate it strictly. writing directly to response is really vulnerable and if if the data is output from a method having request as input then its twice vulnerable. major security issue.