0

I have to encode the HttpServletRequest parameters to avoid XSS attack.

I am trying to use CharacterEncodingFilter provided by Spring.

I have below entry in web.xml,but it does't seem to work.

<filter>
        <filter-name>encodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>encodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Already gone through other question asked in SO,but no luck so far.

If i pass string like "><img src=x onerror=prompt(1);> for a field from JSP page,it does not encode it,i can do it by getting individual parameter and then encoding it,but what i need is a single point encoding for whole application. Any clue,where i am wrong? or any better solution.

EDIT:-

XSSFilter code:- 

Map params = httpRequest.getParameterMap();
        Iterator i = params.keySet().iterator();
        Map result = new HashMap<String, String>();
        boolean valid = true;
        while (i.hasNext()) {
            String key = (String) i.next();
            String value = ((String[]) params.get(key))[0];
            if (!isValidInput(value)) {
                valid = false;
                result.put(key, "Invalid Input");
                logger.error("Invalid input in url " + httpRequest.getServletPath() + " for key : " + key + " value :" + value);

            }
        }
Improve this question
5
  • is it not working for either of POST or GET Commented Jan 28, 2015 at 11:02
  • Tested for POST only. Commented Jan 28, 2015 at 11:03
  • have a look at this, it says A CharacterEncodingFilter sets the body encoding, but not the URI encoding. Commented Jan 28, 2015 at 11:04
  • also look at this Commented Jan 28, 2015 at 11:08
  • Actually i have created a common filter XSSFilter(updated above),which get the parameters from request and validate.,and after this filter control transfer to Spring controller. Commented Jan 28, 2015 at 11:25
Related questions
0
HttpServletRequest - Quick way to encode url and hidden field paramaters
11
HttpServletRequest - SetParameter
1
How to handle special chars in parameter values?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.