Using the ParameterValidator Component

As an alternative to using the /atg/dynamo/servlet/security/XSSParameterValidator component for parameter filtering, you can instead use the /atg/dynamo/servlet/security/ParameterValidator component, of class atg.servlet.security.param.OverridableParameterValidator. This component has several properties that you can configure to control what parameter values are considered invalid.

To use the ParameterValidator component for validating query parameters, remove the XSSParameterValidator component from the ParameterValidator component’s overridingValidators property. This will prevent the XSSPParameterValidator component from overriding the ParameterValidator component. (See Validating Query Parameters.) To use the ParameterValidator component for validating POST parameters, set the parameterValidator property of the /atg/dynamo/servlet/ServletUtil component to /atg/dynamo/servlet/security/ParameterValidator.

Note that XSSParameterValidator and ParameterValidator differ in the type of logic they use for validation. With the XSSParameterValidator component, acceptable parameter values are specified through classes that implement the XSSParameterPolicyHolder interface, and any values not explicitly permitted are considered invalid. With the ParameterValidator component, invalid parameter values are specified in the ParameterValidator class and through properties, and any value that is not determined to be invalid is considered valid.

The following table describes the properties you use to specify the invalid tags, attributes, and other strings that will cause ParameterValidator to reject a request:

Property

Explanation

alwaysAddDefaults

Controls whether the ParameterValidator component adds lists of default string values to the illegalTagNames and illegalAttributeNames properties.

Default is true to include the default string values. Set the value of this property to false to omit the default values.

See Default Tag and Attribute Names for more information.

illegalTagNames

A list of HTML elements that are disallowed in parameters.

See Default Tag and Attribute Names for more information. including the default list of illegal tag names.

onlyDisallowIllegalTagNames

Controls whether strings that appear to be HTML elements are allowed in parameters.

Default is true to allow strings that appear to be HTML elements as long as they are not included in the illegalTagNames property. Set the value of this property to false to disallow any string that appears to be an HTML element.

illegalAttributeNames

A list of HTML attributes that are disallowed in parameters.

See Default Tag and Attribute Names for more information. including the default list of illegal attribute names.

onlyDisallowIllegalAttributeNames

Controls whether strings that appear to be HTML attributes are allowed in parameters.

Default is true to allow strings that appear to be HTML attributes as long as they are not included in the illegalAttributeNames property. Set the value of this property to false to disallow any string that appears to be an HTML attribute.

illegalStrings

A list of specific strings that are disallowed in parameters. The list is empty by default.

illegalRegexes

A list of regular expressions that describe strings that are disallowed in parameters. Default: javascript\\s*:, (^|[^a-zA-Z])x\\s*:, vbscript\\s*:, /\\s*>, ^\\s*>

overridingValidators

A list of components of classes that implement the RequestParameterValidator interface. By default this is set to /atg/dynamo/servlet/security/
XSSParameterValidator.

Copyright © 1997, 2018 Oracle and/or its affiliates. All rights reserved. Legal Notices