<%@ page language="java" contentType="text/html; charset=ISO-8859-1" import="java.util.regex.*" pageEncoding="ISO-8859-1"%> <% String action = request.getParameter("action"); String field1 = request.getParameter("field1"); String regex1 = "^[0-9]{3}$";// any three digits Pattern pattern1 = Pattern.compile(regex1); if("Purchase".equals(action)) { if(!pattern1.matcher(field1).matches()) { /** If they supplied the right attack, pass them **/ out.write("alert('Whoops: You entered an incorrect access code of \"" + field1 + "\"');"); // bad XSS } } %>