As an alternative to using the /atg/dynamo/servlet/security/XSSParameterValidator
component for parameter filtering, you can instead use the /atg/dynamo/servlet/security/ParameterValidator
component, of class atg.servlet.security.param.OverridableParameterValidator
. This component has several properties that you can configure to control what parameter values are considered invalid.
To use the ParameterValidator
component for validating query parameters, remove the XSSParameterValidator
component from the ParameterValidator
component’s overridingValidators
property. This will prevent the XSSPParameterValidator
component from overriding the ParameterValidator
component. (See Validating Query Parameters.) To use the ParameterValidator
component for validating POST parameters, set the parameterValidator
property of the /atg/dynamo/servlet/ServletUtil
component to /atg/dynamo/servlet/security/ParameterValidator
.
Note that XSSParameterValidator
and ParameterValidator
differ in the type of logic they use for validation. With the XSSParameterValidator
component, acceptable parameter values are specified through classes that implement the XSSParameterPolicyHolder
interface, and any values not explicitly permitted are considered invalid. With the ParameterValidator
component, invalid parameter values are specified in the ParameterValidator
class and through properties, and any value that is not determined to be invalid is considered valid.
The following table describes the properties you use to specify the invalid tags, attributes, and other strings that will cause ParameterValidator
to reject a request:
Property | Explanation |
---|---|
| Controls whether the Default is See Default Tag and Attribute Names for more information. |
| A list of HTML elements that are disallowed in parameters. See Default Tag and Attribute Names for more information. including the default list of illegal tag names. |
| Controls whether strings that appear to be HTML elements are allowed in parameters. Default is |
| A list of HTML attributes that are disallowed in parameters. See Default Tag and Attribute Names for more information. including the default list of illegal attribute names. |
| Controls whether strings that appear to be HTML attributes are allowed in parameters. Default is |
| A list of specific strings that are disallowed in parameters. The list is empty by default. |
| A list of regular expressions that describe strings that are disallowed in parameters. Default: |
| A list of components of classes that implement the |