Suggestions for Struts 1.1 TODO LIST ---- Request Filtering technology for Struts

Wed, 23 May 2001 08:33:40 -0700 

Hi Everybody,

     I would really like the opinion of the big heavyweights who designed
this framework. I have a small but important suggestion to make for the
struts 1.1 todo list.
So far struts does not implement a filtering technology for incoming
requests which is very important in this hacker dominated world. I have a
simple solution / change that can be made to the current version of struts
which would implement this filtering technology. This filter basically
filters out unwanted characters submitted by the user so that the database
will not be harmed. I propose that the BeanUtils.populate() method be
modified to include a filter(before calling the setters on the corresponding
form object). The filter() method takes the bad / unwanted characters out
and give back a clean string. This clean string is then set in the
corresponding form setter method. This filter would read from a properties
file the following criteria....The structure of the properties file would
be..

    # allowed characters in the database
    allowedCharacters = askbdsvASDASDA123412321...

    # disallowed characters in the database
    disallowedCharacters = ~`!@#$%^&*()-|\\<,>.?/:;"'
  
    # replacement character. For every disallowed character in the input
string, 
    # it would be replaced by this character
    replacementChar = "-"

    # This flag specifies whether to check the incoming string for
allowedCharacters 
    # or disallowedCharacters. 
    # 1 = allowedCharacters
    # 2 = disallowedCharacters
    filterWhatKind = 1
    
    # This flag specifies whether to allow filtering or not
    # true = allow filtering
    # false = disallow filtering
    filterFlag = true

    Have a method called filter() in the BeanUtils that will implement the
specific filter. Based on the 'filterFlag' value this method is either
called or ignored in the BeanUtils.populate () method.

    The properties file is specified in the web.xml file at the
ActionServlet level.
This file is application specific and can be changed / modified based on the
application. Not having this properties file indicates that no filtering is
to be implemented.

    Any comments / suggestions are welcome.

cheers,
Amar..

Reply via email to