we have a J2EE web application usig Spring MVC. We have a new requirement for our web application where we have to remove certain pre-defined characters from the user input. For example, let’s say that the application should remove ‘<‘ from all the user inputs. I have come up with 2 approaches to meet this requirement :
-
JSP Level : identify each and every jsp which allows user input and then remove the characters by client side processing.
-
Servlet Filter : Use a filter and intercept the request object. Here I can use 1 of the following 2 approaches :
2.1 : Override the request.getParameter method and write the character removal logic inside it. Whenever this method is called, it will return the filtered result.
2.2 : At the filter level, scan the parameter map and filter the required characters. Then write a setParameter method and set the new values in the request parameter map.
Which approach do you suggest? Will the filter have any impact on the performance? If you can think of a better approach then please let me know.
You can do client-side filtering if you wish but you absolutely should not rely on it. Clients can turn off Javascript. They can also just post what they like when it comes down to it. Client-side validation is a convenience. It is no substitute for server-side validation.
As for using servlet filters, I’m not sure I’m a big fan of that. It seems like (and I could be wrong here) you’re trying to protect yourself from lazy, forgetful or just plain inept developers.
Also if you allow HTML at any point (like this site does), you can’t institute that sort of thing as a universal rule. This sort of thing should be handled where you do all your other validation. Put unit tests around it if you’re really worried about it.
Servlet filters just seems heavyhanded and possibly problematic for this.
You’re using Spring MVC. Are you using any particular validation framework behind Spring’s validators? Whatever the case, IMHO this is the correct place to deal with this kind of problem and easily unit-testable [sic].
I think that’s the right point for this kind of thing.
All that being said, I don’t see any technical reason why you couldn’t do this with setParameter in a servlet filter if you really are so inclined towards that approach. I would certainly do that over overriding setParameter on the servlet request. Can you even do that? Even if you can I wouldn’t.