Validation of POST parameters is initiated by the /atg/dynamo/servlet/pagecompile/DAFDropletEventServlet component in the request handling pipeline. This component of class atg.droplet.DropletEventServlet is responsible for processing the setX and handleX form handler methods when a form is submitted, which it does by invoking the atg.droplet.EventSender object associated with the form.

When a user attempts to submit a form, the EventSender object calls the isSuspiciousParamValue() method of the atg.servlet.ServletUtil object. This method uses the component specified in the parameterValidator property of the /atg/dynamo/servlet/ServletUtil component to filter the parameters. If all of the parameters are valid, the EventSender calls the setX and handleX form handler methods to set the values on the form handler and process the form.

The ServletUtil component’s parameterValidator property is set to a component of a class that implements the atg.servlet.security.param.ParameterValidator interface. This interface has a single method, areParamValuesSuspicious(), that is responsible for examining the parameter values and determining whether any of them looks suspicious.

The ServletUtil object’s isSuspiciousParamValue() method invokes the areParamValuesSuspicious() method on the component specified by the ServletUtil component’s parameterValidator property. By default, the parameterValidator property is set to /atg/dynamo/servlet/security/XSSParameterValidator, of class atg.servlet.security.param.XSSParameterValidator. This component implements logic for validating the request parameters. See Using the XSSParameterValidator Component for information about this parameter validator and about how you can create and configure alternative parameter validators.