Redirecting from filter

[anjibman]

Hi All,

I am trying to write XSS filter which validate all incoming request. Then if invalid string is in request redirect to the error page. Since filter works in chain and I am using HttpServletRequestWrapper to validate I couldn't figure out how to break the chain and redirect to error page.

Filter class

Code:

public class XssFilter implements Filter {
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
			throws IOException, ServletException {		
		chain.doFilter(new XssRequestWrapper((HttpServletRequest)request), response);		
	}
}

Wrapper class

Code:

public final class XssRequestWrapper extends HttpServletRequestWrapper {
     public String[] getParameterValues(String paramString) {
      //call validateValue() and return String[]
    }
    
    public String getParameter(String paramString) {
       //call validateValue() and return String
    }

    public String getHeader(String paramString) {
       //call validateValue() and return String
    }

    public String validateValue(String str) {
       // I am confuse here. I have condition.
       if(dotest){
           return null;
        } else {
           return str;
       }
    }
}

How can I have send user to error page if input string is invalid?

Thanks

[Marten Deinum]

By redirecting... You should validate in the filter and n ot an a get, imho that is confusing and also never going to work. Imagina, I'm down stream somewhere gettnig parameters and all of a sudden I'm redirected?!...

So validate the parameters/headers in the filter and if errornous redirect.

However I strongly suggest not reinventing the wheel and use an existing solution like HDIV (which I probably suggested before).

[anjibman]

Sorry I can't use HDIV this time. i will surely put it in future.
For now do you mean peel validateValue() method from wrapper class to XssFilter?
Then how do I know what paramvalue/param/header did i get?
Can you put skeleton code?

Thanks

[Marten Deinum]

I suggest you inspect the HttpServletRequest interface javadoc... You can simply retrieve all parameter names and iterate over them (the same for the headers).

In your current solution you could throw an exception, catch that in the filter and redirect from there but imho that is bad as it leads to side effects. YOu get something and suddenly something blows up, so probably better to validate up-front.

[anjibman]

Gotch u. Redirection is bad idea.
Ok I will just return null for invalid input and controller will handle accordingly.

Thanks

[Marten Deinum]

I didn't say redirection is a bad idea... I say redirection on a get is a bad idea!

Either validate upfront i.e. in your filter and throw exception and use the error-pages behavior in the web.xml (some security exception) or handle it somewhere else.

Also not sure if you want to validate or do you want to strip certain elements (like done in this XssFilter/Wrapper). This basically lets the application function and simply removes dangerous elements from input elements.

[anjibman]

I want to validate and stop user from submitting such data. But that data can be anywhere on the request. That's why I was planning to redirect as soon as we find the invalid entry.

Any suggestion?

[Marten Deinum]

Any suggestion?

As suggested imho that is a bad idea (at least your current implementation) as you get a method with a side effect (an exception or something else when you do a get).

As mentioned take a look a the HttpServletRequest API there are methods that give you all the parameter/header names so that you can iterate over them, retrieve the value, validate and do whatever you want.

I still think it is better to simply strip the information from the parameters instead of redirecting (as the latter is basically a signal that you are trying to prevent XSS and might lead to other attacks or more XSS attacks.

[qmdqwd]

Ok I will just return null for invalid input and controller will handle accordingly.