String Lang=request.getParameter("lang");
    ...
    if ((Lang.indexOf('\r')==-1) && (Lang.indexOf('\n')==-1))
    {
        /* Lang does not contain CRs or LFs, so it's safe here */
        /* (at least from the perspective of                   */
        /* HTTP Response Splitting)                            */
        
        response.sendRedirect("/by_lang.jsp?lang="+Lang);
    }
   else
    {
        /* handle security error (reject the request) */

        ...
    }

Example 4: Eliminating CR/LFs from parameters.