Hi All, This is a very-very-very urgent need!! Please ping if u have any clue.. Scenario ::: To prevent XSS Cross site scripting from external sources ..I tried these things. When a webpage is called, I 'll scan all the parameter values passed and if it contains any mailicous characters like < % > etc ,I'll encode to ascii format.. The problem is in java there is no equivalent of getParameter() i.e any function like setParameter(). . So I tried using setAttribute but no luck ... I've posted the full code of 1.jsp code [ This jsp is called from other page which sends some parameters ] 2.Servlet class (which acts as a filter) 3. log file info (the output console) Please tell me where I got wrong jsp code:: <% String _field=request.getParameter("Area1"); System.out.println("Value becomes: "+_field); %> N.B :: Actually the parameter Area1 is passed from previous page . I just checked to see if it prints the modified input or the same input ServletClass Code: [FONT=Courier New][COLOR=RoyalBlue]import java.io.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*; public class MyFilterServlet implements Filter { private FilterConfig filterConfig = null; public void init(FilterConfig filterConfig) { this.filterConfig = filterConfig; } /** * Description : First Enumerates all parameters and its values. * Pass parameter values to encodeChars function * Using HttpSession object,set the new parameter values */ public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException { /** wrap the request object * this customised request object enables you to modify request headers */ HttpServletRequestWrapper reqwrapper=new HttpServletRequestWrapper((HttpServletRequest)request); /* Session object to set new parameter values */ HttpSession _session=reqwrapper.getSession(); /* Enumerate parameters,parameter values */ Enumeration parameters=reqwrapper.getParameterNames(); while(parameters.hasMoreElements()){ String paramName=(String)parameters.nextElement(); String paramValue=reqwrapper.getParameter(paramName); [COLOR=Magenta] /* encode function to change certain characters */ [B]System.out.println(paramName+": "+paramValue);[/B] // [SIZE=3]XXX[/SIZE] String modifiedValue=encodeChars(paramValue); [B]System.out.println(modifiedValue);[/B] [SIZE=3]//YYY[/SIZE] reqwrapper.setAttribute(paramName,modifiedValue); } [B]System.out.println("the filter is on");[/B] [SIZE=3]//ZZZ[/SIZE] [/COLOR] chain.doFilter(reqwrapper, response); } public void destroy() { } public static String encodeChars( String s ) { StringBuffer sb = new StringBuffer(); for ( int i = 0; i < s.length(); i++ ) { char c = s.charAt( i ); if ( c == '<' ) sb.append( "<" ); else if ( c == '>' ) sb.append( ">" ); else if ( c == '%' ) sb.append( "" ); else if ( c == '"' ) sb.append( "" ); else if ( c == '\'' ) sb.append( "" ); else if ( c == '+' ) sb.append( "" ); // newline filter else if ( c == '\n' ) sb.append( "<br/>"); else sb.append( c ); } return sb.toString(); } }[/COLOR] [/FONT] In Log FIle Area1: ANderson <>#$%<?>LO?: // Output due to line XXX ANderson <>#$<?>LO?: //Output due to line YYY the filter is on //Output due to line ZZZ Value becomes: ANderson <>#$%<?>LO?: //Output thro JSP page Can someone tell me why that setAttribute doesn't have any impact on the parameter.. ( or) how to modify the parameter values in the request object ????
Please use the code block when you have code snippets in the posts. I would suggest you read - Before you make a query