Can “c:set” cause Cross Site Scripting (XSS) vulnerability?


Can this be exploited as XSS vulnerability using urls like localhost/?myVar=<script>alert(document.cookie)</script> or though any other possibility?

<c:set var="myVar" value="<%=request.getParameter("myVar")%>"/>
<c:if test="${myVar == 'VALUE1'}">
   <option value="a">A</option>
   <option value="b">B</option>
</c:if>
<c:if test="${myVar == 'VALUE2'}">
   <option value="c">C</option>
   <option value="d">D</option>
</c:if>

How can we secure ourself from this?