Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Java (http://www.go4expert.com/forums/java/)
-   -   Urgent Help !!! Modifying params in Request object|| java equiv of setParameter() (http://www.go4expert.com/forums/urgent-help-modifying-params-request-t6116/)

sakthi.abdullah 31Aug2007 00:41

Urgent Help !!! Modifying params in Request object|| java equiv of setParameter()
 
Hi All,

This is a very-very-very urgent need!! Please ping if u have any clue..

Scenario :::
To prevent XSS Cross site scripting from external sources ..I tried these things.
When a webpage is called, I 'll scan all the parameter values passed and if it contains any mailicous characters like < % > etc ,I'll encode to ascii format..

The problem is in java there is no equivalent of getParameter() i.e any function like setParameter(). .

So I tried using setAttribute but no luck ...
I've posted the full code of

1.jsp code [ This jsp is called from other page which sends some parameters ]
2.Servlet class (which acts as a filter)
3. log file info (the output console)


Please tell me where I got wrong

jsp code::
<%
String _field=request.getParameter("Area1");
System.out.println("Value becomes: "+_field);
%>


N.B :: Actually the parameter Area1 is passed from previous page . I just checked to see if it prints the modified input or the same input

ServletClass
Code:

import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;


public class MyFilterServlet implements Filter
{
        private FilterConfig filterConfig = null;

        public void init(FilterConfig filterConfig) {
                this.filterConfig = filterConfig;
        }


       
/**
 *  Description : First Enumerates all parameters and its values.
 *                  Pass parameter values to encodeChars function
 *                  Using HttpSession object,set the new parameter values
*/
       
        public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException
  {

        /** wrap the request object
        * this customised request object enables you to modify request headers */

        HttpServletRequestWrapper reqwrapper=new HttpServletRequestWrapper((HttpServletRequest)request);


        /* Session object to set new parameter values */
        HttpSession _session=reqwrapper.getSession();


        /* Enumerate parameters,parameter values */
        Enumeration parameters=reqwrapper.getParameterNames();
        while(parameters.hasMoreElements()){
                String paramName=(String)parameters.nextElement();
                String paramValue=reqwrapper.getParameter(paramName);
       
                /* encode function to change certain characters */
                System.out.println(paramName+": "+paramValue); // XXX                String modifiedValue=encodeChars(paramValue);
                System.out.println(modifiedValue); //YYY                reqwrapper.setAttribute(paramName,modifiedValue);

        }

       
        System.out.println("the filter is on"); //ZZZ

        chain.doFilter(reqwrapper, response);
       
  }



        public void destroy() { }


  public static String encodeChars( String s ) {
    StringBuffer sb = new StringBuffer();
    for ( int i = 0; i < s.length(); i++ ) {
      char c = s.charAt( i );
      if ( c == '<' ) sb.append( "&lt;" );
      else if ( c == '>' ) sb.append( "&gt;" );
      else if ( c == '%' ) sb.append( "&#25" );
      else if ( c == '"' ) sb.append( "" );
      else if ( c == '\'' ) sb.append( "" );
      else if ( c == '+' ) sb.append( "B;" );
      // newline filter
      else if ( c == '\n' ) sb.append( "&lt;br/&gt;");
      else sb.append( c );
    }
    return sb.toString();
  }
 
}

In Log FIle

Area1: ANderson <>#$%<?>LO?: // Output due to line XXX
ANderson &lt;&gt;#$&#25&lt;?&gt;LO?: //Output due to line YYY
the filter is on //Output due to line ZZZ
Value becomes: ANderson <>#$%<?>LO?: //Output thro JSP page




Can someone tell me why that setAttribute doesn't have any impact on the parameter.. ( or) how to modify the parameter values in the request object ????

shabbir 31Aug2007 08:15

Re: Urgent Help !!! Modifying params in Request object|| java equiv of setParameter()
 
Please use the code block when you have code snippets in the posts. I would suggest you read - Before you make a query


All times are GMT +5.5. The time now is 13:45.