The server encountered an internal error () that prevented it from fulfilling this request - tomcat server

Question

I have a project with Java, I found a Vulnerability and tried to solve it using ESAPI, but when I execute it I found the following problem:

I added this code:

<% import org.apache.commons.lang.StringEscapeUtils;%>

This code-making problem and the rest of the code depends on it. the first code is :

boolean bReportFormat=(request.getParameter("reportFormat")!=null);
f.setGroupingUsed(bReportFormat);

and the second code is:

<% import org.apache.commons.lang.StringEscapeUtils;%>
  <% String bReportFormat=(request.getParameter("reportFormat")!=null);
String input = request.getParameter("reportFormat");
String Comment = ESAPI.validator().getValidInput("reportFormat", input, "CommentRegex", 400, false, errorV);
String bReportFormat= ESAPI.encoder().encodeForHTML( Comment );



f.setGroupingUsed(bReportFormat);



%>

---

I am using the ESAPI as explained without adding anything else. Please who has a solution to help, and thanks.

Answer 1

See How do you import classes in JSP? The correct syntax for an import in JSP is <%@ page import="org.apache.commons.lang.StringEscapeUtils" %> You need the page keyword and import= option, and no semicolon.

The normal <% %> syntax is for defining in-line code -- think of it as injecting code inside the body of a Java method. import statements are not allowed inside methods -- they must be done at the top of the source file. (Tomcat converts the JSP source into a Java source file.) The <% page %> directive is to emit page-level declarations such as Java import statements.