Package org.apache.catalina.filters
Class AddDefaultCharsetFilter
- java.lang.Object
-
- org.apache.catalina.filters.FilterBase
-
- org.apache.catalina.filters.AddDefaultCharsetFilter
-
- All Implemented Interfaces:
Filter
public class AddDefaultCharsetFilter extends FilterBase
Filter that explicitly sets the default character set for media subtypes of the "text" type to ISO-8859-1, or another user defined character set. RFC2616 explicitly states that browsers must use ISO-8859-1 if no character set is defined for media with subtype "text". However, browsers may attempt to auto-detect the character set. This may be exploited by an attacker to perform an XSS attack. Internet Explorer has this behaviour by default. Other browsers have an option to enable it.
This filter prevents the attack by explicitly setting a character set. Unless the provided character set is explicitly overridden by the user - in which case they deserve everything they get - the browser will adhere to an explicitly set character set, thus preventing the XSS attack.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classAddDefaultCharsetFilter.ResponseWrapperWrapper that adds a character set for text media types if no character set is specified.
-
Field Summary
-
Fields inherited from class org.apache.catalina.filters.FilterBase
sm
-
-
Constructor Summary
Constructors Constructor Description AddDefaultCharsetFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voiddoFilter(ServletRequest request, ServletResponse response, FilterChain chain)ThedoFiltermethod of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain.protected LoggetLogger()voidinit(FilterConfig filterConfig)Iterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.voidsetEncoding(String encoding)-
Methods inherited from class org.apache.catalina.filters.FilterBase
destroy, isConfigProblemFatal
-
-
-
-
Method Detail
-
setEncoding
public void setEncoding(String encoding)
-
getLogger
protected Log getLogger()
- Specified by:
getLoggerin classFilterBase
-
init
public void init(FilterConfig filterConfig) throws ServletException
Description copied from class:FilterBaseIterates over the configuration parameters and either logs a warning, or throws an exception for any parameter that does not have a matching setter in this filter.- Specified by:
initin interfaceFilter- Overrides:
initin classFilterBase- Parameters:
filterConfig- The configuration information associated with the filter instance being initialised- Throws:
ServletException- ifFilterBase.isConfigProblemFatal()returnstrueand a configured parameter does not have a matching setter
-
doFilter
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
Description copied from interface:javax.servlet.FilterThedoFiltermethod of the Filter is called by the container each time a request/response pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain.A typical implementation of this method would follow the following pattern:-
1. Examine the request
2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
5. Directly set headers on the response after invocation of the next entity in the filter chain.- Parameters:
request- The request to processresponse- The response associated with the requestchain- Provides access to the next filter in the chain for this filter to pass the request and response to for further processing- Throws:
IOException- if an I/O error occurs during this filter's processing of the requestServletException- if the processing fails for any other reason
-
-