1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

Urgent Help !!! Modifying params in Request object|| java equiv of setParameter()

Discussion in 'Java' started by sakthi.abdullah, Aug 30, 2007.

  1. sakthi.abdullah

    sakthi.abdullah New Member

    Hi All,

    This is a very-very-very urgent need!! Please ping if u have any clue..

    Scenario :::
    To prevent XSS Cross site scripting from external sources ..I tried these things.

    When a webpage is called, I 'll scan all the parameter values passed and if it contains any mailicous characters like < % > etc ,I'll encode to ascii format..

    The problem is in java there is no equivalent of getParameter() i.e any function like setParameter(). .

    So I tried using setAttribute but no luck ... ​

    I've posted the full code of

    1.jsp code [ This jsp is called from other page which sends some parameters ]
    2.Servlet class (which acts as a filter)
    3. log file info (the output console)


    Please tell me where I got wrong

    jsp code::
    <%
    String _field=request.getParameter("Area1");
    System.out.println("Value becomes: "+_field);
    %>


    N.B :: Actually the parameter Area1 is passed from previous page . I just checked to see if it prints the modified input or the same input

    ServletClass
    Code:
    [FONT=Courier New][COLOR=RoyalBlue]import java.io.*;
    import java.util.*;
    import javax.servlet.*;
    import javax.servlet.http.*;
    
    
    public class MyFilterServlet implements Filter 
    {
    	private FilterConfig filterConfig = null;
    
    	public void init(FilterConfig filterConfig) {
    		this.filterConfig = filterConfig;
    	}
    
    
    	 
    /** 
     *  Description : First Enumerates all parameters and its values.
     * 		  Pass parameter values to encodeChars function
     * 		  Using HttpSession object,set the new parameter values
    */
    	
    	public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException 
      {
    
    	/** wrap the request object
    	* this customised request object enables you to modify request headers */
    
    	HttpServletRequestWrapper reqwrapper=new HttpServletRequestWrapper((HttpServletRequest)request);
    
    
    	/* Session object to set new parameter values */
    	HttpSession _session=reqwrapper.getSession();
    
    
    	/* Enumerate parameters,parameter values */
    	Enumeration parameters=reqwrapper.getParameterNames();
    	while(parameters.hasMoreElements()){
    		String paramName=(String)parameters.nextElement();
    		String paramValue=reqwrapper.getParameter(paramName);
    	[COLOR=Magenta]
    		/* encode function to change certain characters */
    		[B]System.out.println(paramName+": "+paramValue);[/B] // [SIZE=3]XXX[/SIZE]		String modifiedValue=encodeChars(paramValue);
    		[B]System.out.println(modifiedValue);[/B] [SIZE=3]//YYY[/SIZE]		reqwrapper.setAttribute(paramName,modifiedValue);
    
    	}
    
    	
    	[B]System.out.println("the filter is on");[/B] [SIZE=3]//ZZZ[/SIZE] [/COLOR]
    	chain.doFilter(reqwrapper, response);
    	
      }
    
    
    
    	public void destroy() { }
    
    
       public static String encodeChars( String s ) {
        StringBuffer sb = new StringBuffer();
        for ( int i = 0; i < s.length(); i++ ) {
          char c = s.charAt( i );
          if ( c == '<' ) sb.append( "&lt;" );
          else if ( c == '>' ) sb.append( "&gt;" );
          else if ( c == '%' ) sb.append( "&#25" );
          else if ( c == '"' ) sb.append( "" );
          else if ( c == '\'' ) sb.append( "" );
          else if ( c == '+' ) sb.append( "" );
          // newline filter
          else if ( c == '\n' ) sb.append( "&lt;br/&gt;");
          else sb.append( c );
        }
        return sb.toString();
      }
       
    }[/COLOR] [/FONT]
    In Log FIle

    Area1: ANderson <>#$%<?>LO?: // Output due to line XXX
    ANderson &lt;&gt;#$&#25&lt;?&gt;LO?: //Output due to line YYY
    the filter is on //Output due to line ZZZ
    Value becomes: ANderson <>#$%<?>LO?: //Output thro JSP page




    Can someone tell me why that setAttribute doesn't have any impact on the parameter.. ( or) how to modify the parameter values in the request object ????
     
    Last edited by a moderator: Aug 31, 2007
  2. shabbir

    shabbir Administrator Staff Member

Share This Page