There may be special characters in ‘’request.getParameter("client")‘’.Sending unvalidated data to a web browser can result in the browser executing malicious code.