nyx/tests/fixtures/header_injection/java/SafeSetHeader.java

// Safe: request parameter routed through the project-local `stripCRLF`
// helper before being written to the response header.
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class SafeSetHeader {
    public static String stripCRLF(String raw) {
        return raw.replace("\r", "").replace("\n", "");
    }

    public void handle(HttpServletRequest req, HttpServletResponse res) {
        String lang = req.getParameter("lang");
        String safe = stripCRLF(lang);
        res.setHeader("X-Lang", safe);
    }
}
new capacity bits (#67) 2026-05-07 01:29:31 -04:00			// Safe: request parameter routed through the project-local `stripCRLF`
			`// helper before being written to the response header.`
			`import javax.servlet.http.HttpServletRequest;`
			`import javax.servlet.http.HttpServletResponse;`

			`public class SafeSetHeader {`
			`public static String stripCRLF(String raw) {`
			`return raw.replace("\r", "").replace("\n", "");`
			`}`

			`public void handle(HttpServletRequest req, HttpServletResponse res) {`
			`String lang = req.getParameter("lang");`
			`String safe = stripCRLF(lang);`
			`res.setHeader("X-Lang", safe);`
			`}`
			`}`