A little change to the Parameter Parser that others may find useful...

[Brian Lawler]

Hey guys-

I don't know what the normal protocol is for low priority features, but  
here goes...

At tribe, we have a need to scrub all of the strings that are coming  
from our forms to make sure that end users are not entering in  
malicious HTML in the free-form text areas.  The way we have done this  
is to refactor the setRequest processing to call a scrub() method.   
Scrub is protected and by default does nothing, but our implementation  
overrides this method with a simple HTML scrubbing of all the strings  
passed in.

Again, I don't know how you guys manage tiny changes like this - if it  
is considered polluting the codebase or not.  If anyone has done this a  
different way I would be interested in hearing about it.  At this  
point, it is my goal to keep our local turbine code as close to the 2.3  
repository as possible.  Let me know what you think...

-Brian

Index:  
src/java/org/apache/turbine/util/parser/DefaultParameterParser.java
===================================================================
RCS file:  
/home/cvspublic/jakarta-turbine-2/src/java/org/apache/turbine/util/ 
parser/DefaultParameterParser.java,v
retrieving revision 1.20.2.1
diff -u -r1.20.2.1 DefaultParameterParser.java
--- src/java/org/apache/turbine/util/parser/DefaultParameterParser.java  
27 Feb 2004 10:34:24 -0000      1.20.2.1
+++ src/java/org/apache/turbine/util/parser/DefaultParameterParser.java  
6 Apr 2004 01:47:45 -0000
@@ -192,8 +192,7 @@
              names.hasMoreElements();)
         {
             tmp = (String) names.nextElement();
-            add(convert(tmp),
-                    request.getParameterValues(tmp));
+            add(convert(tmp), scrub(request.getParameterValues(tmp)));
         }

         // Also cache any pathinfo variables that are passed around as
@@ -337,5 +336,16 @@
                     + name + ") is not an instance of FileItem[]", e);
             return null;
         }
+    }
+
+   /**
+    * The scrub method is used by setRequest() to do any  
pre-processing needed
+    * on inbound strings.  The default implementation is to do  
nothing, but
+    * applications may overide this method to add any specific  
behavior they
+    * need in their business rules (such as HTML tag scrubbing).
+    */
+    protected String[] scrub(String vals[])
+    {
+        return vals;
     }
 }

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]