Soutrick Soutrick - 26 days ago 5
reST (reStructuredText) Question

Special Characters in Request Parameter

I am developing services in spring and the services were deployed in JBOSS 7.1.0.
Sample code for request mapping:

@RequestMapping(value=/state, method=RequestMethod.GET)
public ResponseEntity<ListStatesResponseVO> getListOfStates(@RequestParam(required=false) Long id,
@RequestParam(required=false) Long page,
@RequestParam(required=false) Long pagesize);


My problem is when I pass special characters in request parameter, it’s returning me a valid xml response, but as per my understanding it should return “400 BAD REQUEST”.

Sample URI:

http://localhost:8080/location-services/location/api/state?id=$%^$^$#$%^$%


I also added

<property name="org.apache.catalina.connector.URI_ENCODING" value="UTF-8"/>
<property name="org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING" value="true"/>


Inside JBOSS’s standalone.xml.

And also

<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<!-- set forceEncoding to true if you want to override encoding of servlet -->
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>


Inside web.xml.

But these doesn’t solved the problem.

Is there any solution available for this.
Thanks in advance.

Answer

You should not allow your users to enter the values in the query string themselves. It's a bad practice and is very risky for your web application security. To avoid such attacks and restrict your users from url tampering you should implement HDIV framework in your application.

Once you implement that no one can mess with your urls. And if someone tries to do so then "bad request" errors will be shown to them.

Hope this helps you. Cheers.