Validation of query parameters in URLs is initiated by the /atg/dynamo/servlet/dafpipeline/SecurityServlet component in the request handling pipeline. This component of class atg.servlet.pipeline.SecurityServlet examines the values of the request’s query parameters and stops processing the request if any parameter value appears suspicious.
SecurityServlet invokes a component of class atg.servlet.security.param.OverridableParameterValidator to perform the validation. This component is specified through the parameterValidator property of the SecurityServlet component. By default, this property is set to /atg/dynamo/servlet/security/ParameterValidator.
The ParameterValidator component can filter the values of query parameters using its own logic, or it can delegate the filtering to other components that implement different filtering logic. These other components can be specified with the ParameterValidator component’s overridingValidators property, which can hold a list of components of classes that implement the atg.servlet.security.param.RequestParameterValidator interface. RequestParameterValidator is a subinterface of the ParameterValidator interface which adds a canValidateRequest() method. This method is responsible for examining the request and determining whether it can perform the validation or if validation must be passed on to another component.
When the ParameterValidator component validates query parameters, it checks the first component named in its overridingValidators property, and calls this component’s canValidateRequest() method. If the method returns true, ParameterValidator delegates responsibility for validating the query parameters to that component. If the method returns false, the same check is performed on each subsequent component in the list until one returns true, at which point ParameterValidator stops checking the remaining components and invokes the one that returned true. If none of the overriding validator components returns true, ParameterValidator validates the query parameters itself. This logic makes it possible to use different validator components in different contexts.
By default, the overridingValidators property is set to the /atg/dynamo/servlet/security/XSSParameterValidator component, of class atg.servlet.security.param.XSSParameterValidator. If this component’s enabled property is set to true, its canValidateRequest() method returns true for every request. This means that unless you change the default configuration, this component always overrides ParameterValidator. See Using the XSSParameterValidator Component for information about XSSParameterValidator.
