1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Urgent Help !!! Modifying params in Request object|| java equiv of setParameter()

Discussion in 'Java' started by sakthi.abdullah, Aug 30, 2007.

  1. sakthi.abdullah

    sakthi.abdullah New Member

    Joined:
    Mar 15, 2007
    Messages:
    29
    Likes Received:
    1
    Trophy Points:
    0
    Hi All,

    This is a very-very-very urgent need!! Please ping if u have any clue..

    Scenario :::
    To prevent XSS Cross site scripting from external sources ..I tried these things.

    When a webpage is called, I 'll scan all the parameter values passed and if it contains any mailicous characters like < % > etc ,I'll encode to ascii format..

    The problem is in java there is no equivalent of getParameter() i.e any function like setParameter(). .

    So I tried using setAttribute but no luck ... ​

    I've posted the full code of

    1.jsp code [ This jsp is called from other page which sends some parameters ]
    2.Servlet class (which acts as a filter)
    3. log file info (the output console)


    Please tell me where I got wrong

    jsp code::
    <%
    String _field=request.getParameter("Area1");
    System.out.println("Value becomes: "+_field);
    %>


    N.B :: Actually the parameter Area1 is passed from previous page . I just checked to see if it prints the modified input or the same input

    ServletClass
    Code:
    [FONT=Courier New][COLOR=RoyalBlue]import java.io.*;
    import java.util.*;
    import javax.servlet.*;
    import javax.servlet.http.*;
    
    
    public class MyFilterServlet implements Filter 
    {
    	private FilterConfig filterConfig = null;
    
    	public void init(FilterConfig filterConfig) {
    		this.filterConfig = filterConfig;
    	}
    
    
    	 
    /** 
     *  Description : First Enumerates all parameters and its values.
     * 		  Pass parameter values to encodeChars function
     * 		  Using HttpSession object,set the new parameter values
    */
    	
    	public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException 
      {
    
    	/** wrap the request object
    	* this customised request object enables you to modify request headers */
    
    	HttpServletRequestWrapper reqwrapper=new HttpServletRequestWrapper((HttpServletRequest)request);
    
    
    	/* Session object to set new parameter values */
    	HttpSession _session=reqwrapper.getSession();
    
    
    	/* Enumerate parameters,parameter values */
    	Enumeration parameters=reqwrapper.getParameterNames();
    	while(parameters.hasMoreElements()){
    		String paramName=(String)parameters.nextElement();
    		String paramValue=reqwrapper.getParameter(paramName);
    	[COLOR=Magenta]
    		/* encode function to change certain characters */
    		[B]System.out.println(paramName+": "+paramValue);[/B] // [SIZE=3]XXX[/SIZE]		String modifiedValue=encodeChars(paramValue);
    		[B]System.out.println(modifiedValue);[/B] [SIZE=3]//YYY[/SIZE]		reqwrapper.setAttribute(paramName,modifiedValue);
    
    	}
    
    	
    	[B]System.out.println("the filter is on");[/B] [SIZE=3]//ZZZ[/SIZE] [/COLOR]
    	chain.doFilter(reqwrapper, response);
    	
      }
    
    
    
    	public void destroy() { }
    
    
       public static String encodeChars( String s ) {
        StringBuffer sb = new StringBuffer();
        for ( int i = 0; i < s.length(); i++ ) {
          char c = s.charAt( i );
          if ( c == '<' ) sb.append( "&lt;" );
          else if ( c == '>' ) sb.append( "&gt;" );
          else if ( c == '%' ) sb.append( "&#25" );
          else if ( c == '"' ) sb.append( "" );
          else if ( c == '\'' ) sb.append( "" );
          else if ( c == '+' ) sb.append( "" );
          // newline filter
          else if ( c == '\n' ) sb.append( "&lt;br/&gt;");
          else sb.append( c );
        }
        return sb.toString();
      }
       
    }[/COLOR] [/FONT]
    In Log FIle

    Area1: ANderson <>#$%<?>LO?: // Output due to line XXX
    ANderson &lt;&gt;#$&#25&lt;?&gt;LO?: //Output due to line YYY
    the filter is on //Output due to line ZZZ
    Value becomes: ANderson <>#$%<?>LO?: //Output thro JSP page




    Can someone tell me why that setAttribute doesn't have any impact on the parameter.. ( or) how to modify the parameter values in the request object ????
     
    Last edited by a moderator: Aug 31, 2007
  2. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,285
    Likes Received:
    364
    Trophy Points:
    83

Share This Page