Validation of POST parameters is initiated by the /atg/dynamo/servlet/pagecompile/DAFDropletEventServlet
component in the request handling pipeline. This component of class atg.droplet.DropletEventServlet
is responsible for processing the setX
and handleX
form handler methods when a form is submitted, which it does by invoking the atg.droplet.EventSender
object associated with the form.
When a user attempts to submit a form, the EventSender
object calls the isSuspiciousParamValue()
method of the atg.servlet.ServletUtil
object. This method uses the component specified in the parameterValidator
property of the /atg/dynamo/servlet/ServletUtil
component to filter the parameters. If all of the parameters are valid, the EventSender
calls the setX
and handleX
form handler methods to set the values on the form handler and process the form.
The ServletUtil
component’s parameterValidator
property is set to a component of a class that implements the atg.servlet.security.param.ParameterValidator
interface. This interface has a single method, areParamValuesSuspicious()
, that is responsible for examining the parameter values and determining whether any of them looks suspicious.
The ServletUtil
object’s isSuspiciousParamValue()
method invokes the areParamValuesSuspicious()
method on the component specified by the ServletUtil
component’s parameterValidator
property. By default, the parameterValidator
property is set to /atg/dynamo/servlet/security/XSSParameterValidator
, of class atg.servlet.security.param.XSSParameterValidator
. This component implements logic for validating the request parameters. See Using the XSSParameterValidator Component for information about this parameter validator and about how you can create and configure alternative parameter validators.