org.apache.catalina.filters
Class AddDefaultCharsetFilter
java.lang.Object
org.apache.catalina.filters.FilterBase
org.apache.catalina.filters.AddDefaultCharsetFilter
- All Implemented Interfaces:
- Filter
public class AddDefaultCharsetFilter
- extends FilterBase
Filter that explicitly sets the default character set for media subtypes of
the "text" type to ISO-8859-1, or another user defined character set. RFC2616
explicitly states that browsers must use ISO-8859-1 if no character set is
defined for media with subtype "text". However, browsers may attempt to
auto-detect the character set. This may be exploited by an attacker to
perform an XSS attack. Internet Explorer has this behaviour by default. Other
browsers have an option to enable it.
This filter prevents the attack by explicitly setting a character set. Unless
the provided character set is explicitly overridden by the user - in which
case they deserve everything they get - the browser will adhere to an
explicitly set character set, thus preventing the XSS attack.
| Fields inherited from class org.apache.catalina.filters.FilterBase |
sm |
|
Method Summary |
void |
doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
The doFilter method of the Filter is called by the container
each time a request/response pair is passed through the chain due to a
client request for a resource at the end of the chain. |
protected Log |
getLogger()
|
void |
init(FilterConfig filterConfig)
Called by the web container to indicate to a filter that it is being
placed into service. |
void |
setEncoding(String encoding)
|
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
AddDefaultCharsetFilter
public AddDefaultCharsetFilter()
setEncoding
public void setEncoding(String encoding)
getLogger
protected Log getLogger()
- Specified by:
getLogger in class FilterBase
init
public void init(FilterConfig filterConfig)
throws ServletException
- Description copied from interface:
javax.servlet.Filter
- Called by the web container to indicate to a filter that it is being
placed into service. The servlet container calls the init method exactly
once after instantiating the filter. The init method must complete
successfully before the filter is asked to do any filtering work.
The web container cannot place the filter into service if the init method
either
1.Throws a ServletException
2.Does not return within a time period defined by the web container
- Specified by:
init in interface Filter- Overrides:
init in class FilterBase
- Throws:
ServletException
doFilter
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException,
ServletException
- Description copied from interface:
javax.servlet.Filter
- The
doFilter method of the Filter is called by the container
each time a request/response pair is passed through the chain due to a
client request for a resource at the end of the chain. The FilterChain
passed in to this method allows the Filter to pass on the request and
response to the next entity in the chain.
A typical implementation of this method would follow the following
pattern:-
1. Examine the request
2. Optionally wrap the request object with a custom implementation to
filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to
filter content or headers for output filtering
4. a) Either invoke the next entity in the chain using
the FilterChain object (chain.doFilter()),
4. b) or not pass on the request/response pair to the
next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next
entity in the filter chain.
- Throws:
IOException
ServletException
Copyright © 2000-2013 Apache Software Foundation. All Rights Reserved.