tainted-file-path
tainted-url-host
tainted-sql-string
connection.PreparedStatement
) or a safe library.tainted-html-string
tainted-system-command
new ProcessBuilder("ls", "-al", targetDirectory)
. Further, make sure you hardcode or allowlist the actual command so that attackers can’t run arbitrary commands.