Urgent Help !!! Modifying params in Request object|| java equiv of setParameter()

Discussion in 'Java' started by sakthi.abdullah, Aug 30, 2007.

  1. sakthi.abdullah

    sakthi.abdullah New Member

    Joined:
    Mar 15, 2007
    Messages:
    29
    Likes Received:
    1
    Trophy Points:
    0
    Hi All,

    This is a very-very-very urgent need!! Please ping if u have any clue..

    Scenario :::
    To prevent XSS Cross site scripting from external sources ..I tried these things.

    When a webpage is called, I 'll scan all the parameter values passed and if it contains any mailicous characters like < % > etc ,I'll encode to ascii format..

    The problem is in java there is no equivalent of getParameter() i.e any function like setParameter(). .

    So I tried using setAttribute but no luck ... ​

    I've posted the full code of

    1.jsp code [ This jsp is called from other page which sends some parameters ]
    2.Servlet class (which acts as a filter)
    3. log file info (the output console)


    Please tell me where I got wrong

    jsp code::
    <%
    String _field=request.getParameter("Area1");
    System.out.println("Value becomes: "+_field);
    %>


    N.B :: Actually the parameter Area1 is passed from previous page . I just checked to see if it prints the modified input or the same input

    ServletClass
    Code:
    [FONT=Courier New][COLOR=RoyalBlue]import java.io.*;
    import java.util.*;
    import javax.servlet.*;
    import javax.servlet.http.*;
    
    
    public class MyFilterServlet implements Filter 
    {
    	private FilterConfig filterConfig = null;
    
    	public void init(FilterConfig filterConfig) {
    		this.filterConfig = filterConfig;
    	}
    
    
    	 
    /** 
     *  Description : First Enumerates all parameters and its values.
     * 		  Pass parameter values to encodeChars function
     * 		  Using HttpSession object,set the new parameter values
    */
    	
    	public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException 
      {
    
    	/** wrap the request object
    	* this customised request object enables you to modify request headers */
    
    	HttpServletRequestWrapper reqwrapper=new HttpServletRequestWrapper((HttpServletRequest)request);
    
    
    	/* Session object to set new parameter values */
    	HttpSession _session=reqwrapper.getSession();
    
    
    	/* Enumerate parameters,parameter values */
    	Enumeration parameters=reqwrapper.getParameterNames();
    	while(parameters.hasMoreElements()){
    		String paramName=(String)parameters.nextElement();
    		String paramValue=reqwrapper.getParameter(paramName);
    	[COLOR=Magenta]
    		/* encode function to change certain characters */
    		[B]System.out.println(paramName+": "+paramValue);[/B] // [SIZE=3]XXX[/SIZE]		String modifiedValue=encodeChars(paramValue);
    		[B]System.out.println(modifiedValue);[/B] [SIZE=3]//YYY[/SIZE]		reqwrapper.setAttribute(paramName,modifiedValue);
    
    	}
    
    	
    	[B]System.out.println("the filter is on");[/B] [SIZE=3]//ZZZ[/SIZE] [/COLOR]
    	chain.doFilter(reqwrapper, response);
    	
      }
    
    
    
    	public void destroy() { }
    
    
       public static String encodeChars( String s ) {
        StringBuffer sb = new StringBuffer();
        for ( int i = 0; i < s.length(); i++ ) {
          char c = s.charAt( i );
          if ( c == '<' ) sb.append( "&lt;" );
          else if ( c == '>' ) sb.append( "&gt;" );
          else if ( c == '%' ) sb.append( "&#25" );
          else if ( c == '"' ) sb.append( "" );
          else if ( c == '\'' ) sb.append( "" );
          else if ( c == '+' ) sb.append( "" );
          // newline filter
          else if ( c == '\n' ) sb.append( "&lt;br/&gt;");
          else sb.append( c );
        }
        return sb.toString();
      }
       
    }[/COLOR] [/FONT]
    In Log FIle

    Area1: ANderson <>#$%<?>LO?: // Output due to line XXX
    ANderson &lt;&gt;#$&#25&lt;?&gt;LO?: //Output due to line YYY
    the filter is on //Output due to line ZZZ
    Value becomes: ANderson <>#$%<?>LO?: //Output thro JSP page




    Can someone tell me why that setAttribute doesn't have any impact on the parameter.. ( or) how to modify the parameter values in the request object ????
     
    Last edited by a moderator: Aug 31, 2007
  2. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,374
    Likes Received:
    388
    Trophy Points:
    83

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice