jsp - How to avoid XSS with this bit of scriplet? -

using checkmarx, 1 page has multiple uses of "request.getparameternames()" , flagged checkmarx "cgi_reflected_xss_all_clients" (query name). page "error.jsp" common page used across multiple apps in company. page gets displayed when unexpected error occurs. why way? knows, best not show , log out instead. i'm pretty new fixing code being reported vulnerable checkmarx.

<h3>request parameters</h3> <pre> <%    lenum = request.getparameternames();    while(lenum.hasmoreelements())    {       string key = (string)lenum.nextelement();       string[] paramvalues = request.getparametervalues(key);       for(int = 0; < paramvalues.length; i++)       {          out.println("  " + key + " : "  + paramvalues[i]);        }    } %> </pre> 

the values output page need escaped html. replace quotes, brackets, , ampersands entities. can done libraries such guava like:

escaper escaper = htmlescapers.htmlescaper(); out.println("  " + escaper.escape(key) + " : " + escaper.escape(paramvalues[i]));