I have a JSP page where I am getting URL from a property file like below -
<spring:eval expression="@environment.getProperty('url.home')" var="homeUrl" />
and it is used like below -
<a target="_blank" href='${homeUrl}'>
<span>Home</span>
</a>
I am getting veracode issue CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) for href='${homeUrl}'.
What would be a better way to fix this Veracode issue?
For your scenario use jstl tag e.g.
<a target="_blank" href="<c:url value='${homeUrl}' />">
<span>Home</span>
</a>