I have a servlet filter
which is calling RequestWrapper
class to check and modify the request header.
public final class RequestWrapper extends HttpServletRequestWrapper
I am overriding getHeader
method inside RequestWrapper
class to modify the request header.
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null)
return null;
return removeUnexpectedCharacters(value);
}
private String removeUnexpectedCharacters(String value)
{
value = value.replaceAll("script", "");
value = value.replaceAll("alert", "");
System.out.println("before return: " + value);
return value;
}
In the server logs, I can see that this code is getting executed and it is actually removing the characters too, however when response
render to the browser it contains the removed characters too.
When I request a page from server with below URL, it should remove blacklisted characters like script
, alert
from username
parameter.
https://xxx:8443/ProjectName/login?username=%3E%22%27%3E%3Cscript%3Ealert%2860%29%3C%2Fscript%3E
Expected URL:
https://xxx:8443/ProjectName/login?username=%3E%22%27%3E%3C%3E%2860%29%3C%2F%3E
I am not able to understand what is the issue here. Can anyone please help me in this?
From your question it seems to me that you should wrap the Response from the server, not the incoming Request. See this : HttpServletResponseWrapper It should be a matter of changing the class your wrapper extends, i.e.
from
to
the implementation shouldn't need to change (but I didn't check that).