How to remove pre-defined characters from user input in a J2EE web application?

Question

we have a J2EE web application usig Spring MVC. We have a new requirement for our web application where we have to remove certain pre-defined characters from the user input. For example, let's say that the application should remove '<' from all the user inputs. I have come up with 2 approaches to meet this requirement :

1. JSP Level : identify each and every jsp which allows user input and then remove the characters by client side processing.

2. Servlet Filter : Use a filter and intercept the request object. Here I can use 1 of the following 2 approaches :

   2.1 : Override the request.getParameter method and write the character removal logic inside it. Whenever this method is called, it will return the filtered result.

   2.2 : At the filter level, scan the parameter map and filter the required characters. Then write a setParameter method and set the new values in the request parameter map.

Which approach do you suggest? Will the filter have any impact on the performance? If you can think of a better approach then please let me know.

Answer 1

You can do client-side filtering if you wish but you absolutely should not rely on it. Clients can turn off Javascript. They can also just post what they like when it comes down to it. Client-side validation is a convenience. It is no substitute for server-side validation.

As for using servlet filters, I'm not sure I'm a big fan of that. It seems like (and I could be wrong here) you're trying to protect yourself from lazy, forgetful or just plain inept developers.

Also if you allow HTML at any point (like this site does), you can't institute that sort of thing as a universal rule. This sort of thing should be handled where you do all your other validation. Put unit tests around it if you're really worried about it.

Servlet filters just seems heavyhanded and possibly problematic for this.

You're using Spring MVC. Are you using any particular validation framework behind Spring's validators? Whatever the case, IMHO this is the correct place to deal with this kind of problem and easily unit-testable [sic].

I think that's the right point for this kind of thing.

All that being said, I don't see any technical reason why you couldn't do this with setParameter in a servlet filter if you really are so inclined towards that approach. I would certainly do that over overriding setParameter on the servlet request. Can you even do that? Even if you can I wouldn't.

Answer 2

I'd suggest you use regular expressions for this.

As far as where to put it, it sounds like it's business logic, so servlet filters or jsp level don't sound as a very good idea.

Yes, it will hurt performance, but it won't be noticeable or critical.

Answer 3

I'd turn the issue about face. Is the issue that users are typing characters like < into the fields, or the fact that you aren't escaping them when you print them out again on a webpage?

Answer 4

I was just reading another StackOverflow post that might help here using Servlet Filter:

Modify Request Parameter with Servlet Filter

Seems reasonable to Use a servlet filter if you can make one generic enough to sanitize the data for your needs.