This document describes how to operate the Filter software contained in the filter package. The Filter software is a library for filtering parameter values passed into web applications. There is no direct interface for interacting with the software. Once it has been installed in the Java Application Server and configured for the desired scope, it will filter all requests for parameter values. The software accomplishes this by overriding the following methods of the HttpServletRequest class:
The filter works by striping out known strings (e.g., <script>, etc.) from user-submitted values associated with Cross-Site Scripting (XSS). It also looks for other characters (e.g., $, @, etc.) that might facilitate Blind SQL Injection, and just blanks out the value if any of these are found.
