Hi All,

This is a very-very-very urgent need!! Please ping if u have any clue..

Scenario :::
To prevent XSS Cross site scripting from external sources ..I tried these things.
When a webpage is called, I 'll scan all the parameter values passed and if it contains any mailicous characters like < % > etc ,I'll encode to ascii format..

The problem is in java there is no equivalent of getParameter() i.e any function like setParameter(). .

So I tried using setAttribute but no luck ...
I've posted the full code of

1.jsp code [ This jsp is called from other page which sends some parameters ]
2.Servlet class (which acts as a filter)
3. log file info (the output console)


Please tell me where I got wrong

jsp code::
<%
String _field=request.getParameter("Area1");
System.out.println("Value becomes: "+_field);
%>


N.B :: Actually the parameter Area1 is passed from previous page . I just checked to see if it prints the modified input or the same input

ServletClass
Code:
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;


public class MyFilterServlet implements Filter 
{
	private FilterConfig filterConfig = null;

	public void init(FilterConfig filterConfig) {
		this.filterConfig = filterConfig;
	}


	 
/** 
 *  Description : First Enumerates all parameters and its values.
 * 		  Pass parameter values to encodeChars function
 * 		  Using HttpSession object,set the new parameter values
*/
	
	public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException 
  {

	/** wrap the request object
	* this customised request object enables you to modify request headers */

	HttpServletRequestWrapper reqwrapper=new HttpServletRequestWrapper((HttpServletRequest)request);


	/* Session object to set new parameter values */
	HttpSession _session=reqwrapper.getSession();


	/* Enumerate parameters,parameter values */
	Enumeration parameters=reqwrapper.getParameterNames();
	while(parameters.hasMoreElements()){
		String paramName=(String)parameters.nextElement();
		String paramValue=reqwrapper.getParameter(paramName);
	
		/* encode function to change certain characters */
		System.out.println(paramName+": "+paramValue); // XXX		String modifiedValue=encodeChars(paramValue);
		System.out.println(modifiedValue); //YYY		reqwrapper.setAttribute(paramName,modifiedValue);

	}

	
	System.out.println("the filter is on"); //ZZZ 
	chain.doFilter(reqwrapper, response);
	
  }



	public void destroy() { }


   public static String encodeChars( String s ) {
    StringBuffer sb = new StringBuffer();
    for ( int i = 0; i < s.length(); i++ ) {
      char c = s.charAt( i );
      if ( c == '<' ) sb.append( "&lt;" );
      else if ( c == '>' ) sb.append( "&gt;" );
      else if ( c == '%' ) sb.append( "&#25" );
      else if ( c == '"' ) sb.append( "" );
      else if ( c == '\'' ) sb.append( "" );
      else if ( c == '+' ) sb.append( "B;" );
      // newline filter
      else if ( c == '\n' ) sb.append( "&lt;br/&gt;");
      else sb.append( c );
    }
    return sb.toString();
  }
   
} 
In Log FIle

Area1: ANderson <>#$%<?>LO?: // Output due to line XXX
ANderson &lt;&gt;#$&#25&lt;?&gt;LO?: //Output due to line YYY
the filter is on //Output due to line ZZZ
Value becomes: ANderson <>#$%<?>LO?: //Output thro JSP page




Can someone tell me why that setAttribute doesn't have any impact on the parameter.. ( or) how to modify the parameter values in the request object ????

Last edited by shabbir; 31Aug2007 at 08:16.. Reason: Code block