This is a very-very-very urgent need!! Please ping if u have any clue..
Scenario :::
To prevent XSS Cross site scripting from external sources ..I tried these things.
When a webpage is called, I 'll scan all the parameter values passed and if it contains any mailicous characters like < % > etc ,I'll encode to ascii format..I've posted the full code of
The problem is in java there is no equivalent of getParameter() i.e any function like setParameter(). .
So I tried using setAttribute but no luck ...
1.jsp code [ This jsp is called from other page which sends some parameters ]
2.Servlet class (which acts as a filter)
3. log file info (the output console)
Please tell me where I got wrong
jsp code::
<%
String _field=request.getParameter("Area1");
System.out.println("Value becomes: "+_field);
%>
N.B :: Actually the parameter Area1 is passed from previous page . I just checked to see if it prints the modified input or the same input
ServletClass
Code:
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class MyFilterServlet implements Filter
{
private FilterConfig filterConfig = null;
public void init(FilterConfig filterConfig) {
this.filterConfig = filterConfig;
}
/**
* Description : First Enumerates all parameters and its values.
* Pass parameter values to encodeChars function
* Using HttpSession object,set the new parameter values
*/
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException
{
/** wrap the request object
* this customised request object enables you to modify request headers */
HttpServletRequestWrapper reqwrapper=new HttpServletRequestWrapper((HttpServletRequest)request);
/* Session object to set new parameter values */
HttpSession _session=reqwrapper.getSession();
/* Enumerate parameters,parameter values */
Enumeration parameters=reqwrapper.getParameterNames();
while(parameters.hasMoreElements()){
String paramName=(String)parameters.nextElement();
String paramValue=reqwrapper.getParameter(paramName);
/* encode function to change certain characters */
System.out.println(paramName+": "+paramValue); // XXX String modifiedValue=encodeChars(paramValue);
System.out.println(modifiedValue); //YYY reqwrapper.setAttribute(paramName,modifiedValue);
}
System.out.println("the filter is on"); //ZZZ
chain.doFilter(reqwrapper, response);
}
public void destroy() { }
public static String encodeChars( String s ) {
StringBuffer sb = new StringBuffer();
for ( int i = 0; i < s.length(); i++ ) {
char c = s.charAt( i );
if ( c == '<' ) sb.append( "<" );
else if ( c == '>' ) sb.append( ">" );
else if ( c == '%' ) sb.append( "" );
else if ( c == '"' ) sb.append( "" );
else if ( c == '\'' ) sb.append( "" );
else if ( c == '+' ) sb.append( "B;" );
// newline filter
else if ( c == '\n' ) sb.append( "<br/>");
else sb.append( c );
}
return sb.toString();
}
}
Area1: ANderson <>#$%<?>LO?: // Output due to line XXX
ANderson <>#$<?>LO?: //Output due to line YYY
the filter is on //Output due to line ZZZ
Value becomes: ANderson <>#$%<?>LO?: //Output thro JSP page
Can someone tell me why that setAttribute doesn't have any impact on the parameter.. ( or) how to modify the parameter values in the request object ????
