I have to encode the HttpServletRequest parameters to avoid XSS attack.
I am trying to use CharacterEncodingFilter provided by Spring.
I have below entry in web.xml,but it does't seem to work.
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Already gone through other question asked in SO,but no luck so far.
If i pass string like "><img src=x onerror=prompt(1);> for a field from JSP page,it does not encode it,i can do it by getting individual parameter and then encoding it,but what i need is a single point encoding for whole application. Any clue,where i am wrong? or any better solution.
EDIT:-
XSSFilter code:-
Map params = httpRequest.getParameterMap();
Iterator i = params.keySet().iterator();
Map result = new HashMap<String, String>();
boolean valid = true;
while (i.hasNext()) {
String key = (String) i.next();
String value = ((String[]) params.get(key))[0];
if (!isValidInput(value)) {
valid = false;
result.put(key, "Invalid Input");
logger.error("Invalid input in url " + httpRequest.getServletPath() + " for key : " + key + " value :" + value);
}
}
