HttpServletRequestWrapper - Not able to modify the request header

Question

I have a servlet filter which is calling RequestWrapper class to check and modify the request header.

public final class RequestWrapper extends HttpServletRequestWrapper

I am overriding getHeader method inside RequestWrapper class to modify the request header.

public String getHeader(String name) {
    String value = super.getHeader(name);
    if (value == null)
      return null;
    return removeUnexpectedCharacters(value);
}

private String removeUnexpectedCharacters(String value)
{
    value = value.replaceAll("script", "");
    value = value.replaceAll("alert", "");
    System.out.println("before return: " + value);
    return value;
}

In the server logs, I can see that this code is getting executed and it is actually removing the characters too, however when response render to the browser it contains the removed characters too.

When I request a page from server with below URL, it should remove blacklisted characters like script, alert from username parameter.

https://xxx:8443/ProjectName/login?username=%3E%22%27%3E%3Cscript%3Ealert%2860%29%3C%2Fscript%3E

Expected URL:

https://xxx:8443/ProjectName/login?username=%3E%22%27%3E%3C%3E%2860%29%3C%2F%3E

I am not able to understand what is the issue here. Can anyone please help me in this?

Answer 1

From your question it seems to me that you should wrap the Response from the server, not the incoming Request. See this : HttpServletResponseWrapper It should be a matter of changing the class your wrapper extends, i.e.
from

public final class RequestWrapper extends HttpServletRequestWrapper

to

public final class ResponseWrapper extends HttpServletResponseWrapper

the implementation shouldn't need to change (but I didn't check that).