--- /dev/null
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.filters;
+
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+
+/**
+ * Filter that explicitly sets the default character set for media subtypes of
+ * the "text" type to ISO-8859-1. RFC2616 explicitly states that browsers must
+ * use ISO-8859-1 in these circumstances. However, browsers may attempt to
+ * auto-detect the character set. This may be exploited by an attacker to
+ * perform an XSS attack. Internet Explorer has this behaviour by default. Other
+ * browsers have an option to enable it.
+ *
+ * This filter prevents the attack by explicitly setting a character set. Unless
+ * the provided character set is explicitly overridden by the user - in which
+ * case they deserve everything they get - the browser will adhere to an
+ * explicitly set character set, thus preventing the XSS attack.
+ */
+public class AddDefaultCharsetFilter implements Filter {
+
+ public void destroy() {
+ // NOOP
+ }
+
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain) throws IOException, ServletException {
+
+ // Wrap the response
+ if (response instanceof HttpServletResponse) {
+ ResponseWrapper wrapped =
+ new ResponseWrapper((HttpServletResponse)response);
+ chain.doFilter(request, wrapped);
+ } else {
+ chain.doFilter(request, response);
+ }
+ }
+
+ public void init(FilterConfig filterConfig) throws ServletException {
+ // NOOP
+ }
+
+ /**
+ * Wrapper that adds the default character set for text media types if no
+ * character set is specified.
+ */
+ public class ResponseWrapper extends HttpServletResponseWrapper {
+
+ @Override
+ public void setContentType(String ct) {
+
+ if (ct != null && ct.startsWith("text/") &&
+ ct.indexOf("charset=") < 0) {
+ // Use getCharacterEncoding() in case the charset has already
+ // been set by a separate call.
+ super.setContentType(ct + ";charset=" + getCharacterEncoding());
+ } else {
+ super.setContentType(ct);
+ }
+
+ }
+
+ public ResponseWrapper(HttpServletResponse response) {
+ super(response);
+ }
+
+ }
+}
+++ /dev/null
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.catalina.valves;
-
-import java.io.IOException;
-
-import javax.servlet.ServletException;
-
-import org.apache.catalina.valves.ValveBase;
-import org.apache.catalina.connector.Request;
-import org.apache.catalina.connector.Response;
-
-/**
- * Valve that explicitly sets the default character set for media subtypes of
- * the "text" type to ISO-8859-1. RFC2616 explicitly states that browsers must
- * use ISO-8859-1 in these circumstances. However, browsers may attempt to
- * auto-detect the character set. This may be exploited by an attacker to
- * perform an XSS attack. Internet Explorer has this behaviour by default. Other
- * browsers have an option to enable it.
- *
- * This valve prevents the attack by explicitly setting a character set. Unless
- * the provided character set is explicitly overridden by the user - in which
- * case they deserve everything they get - the browser will adhere to an
- * explicitly set character set, thus preventing the XSS attack.
- *
- * To use this valve add the following <code><Valve
- * className="org.apache.catalina.valves.AddDefaultCharsetValve" /></code>
- * to your <code>Engine</code>, <code>Host</code> or <code>Context</code> as
- * required.
- */
-
-public class AddDefaultCharsetValve
- extends ValveBase {
-
- /**
- * Check for text/* and no character set and set charset to ISO-8859-1 in
- * those circumstances.
- */
- public void invoke(Request request, Response response)
- throws IOException, ServletException {
-
- // Process the request first
- getNext().invoke(request, response);
-
- // Test once the response has been generated
- String ct = response.getContentType();
- if (ct != null && ct.startsWith("text/")) {
- // Make sure the charset is explicitly set
- response.setCharacterEncoding(response.getCharacterEncoding());
- }
- }
-
-}
--- /dev/null
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!DOCTYPE document [
+ <!ENTITY project SYSTEM "project.xml">
+]>
+<document url="filter.html">
+
+ &project;
+
+ <properties>
+ <title>Container Provided Filters</title>
+ </properties>
+
+<body>
+
+
+<section name="Introduction">
+
+ <p>Tomcat provides a number of <strong>Filters</strong> which may be
+ configured for use with all web applications using
+ <code>$CATALINA_BASE/conf/web.xml</code> or may be configured for individual
+ web applications by configuring them in the application's
+ <code>WEB-INF/web.xml</code>. Each filter is described below.</p>
+
+ <blockquote><em>
+ <p>This description uses the variable name $CATALINA_BASE to refer the
+ base directory against which most relative paths are resolved. If you have
+ not configured Tomcat for multiple instances by setting a CATALINA_BASE
+ directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
+ the directory into which you have installed Tomcat.</p>
+ </em></blockquote>
+
+</section>
+
+
+<section name="Add Default Character Set Filter">
+
+ <subsection name="Introduction">
+
+ <p>The HTTP specification is clear that if no character set is specified for
+ media sub-types of the "text" media type, the ISO-8859-1 character set must
+ be used. However, browsers may attempt to auto-detect the character set.
+ This may be exploited by an attacker to perform an XSS attack. Internet
+ Explorer has this behaviour by default. Other browsers have an option to
+ enable it.</p>
+
+ <p>This filter prevents the attack by explicitly setting a character set.
+ Unless the provided character set is explicitly overridden by the user the
+ browser will adhere to the explicitly set character set, thus preventing the
+ XSS attack.</p>
+
+ </subsection>
+
+ <subsection name="Filter Class Name">
+
+ <p>The filter class name for the Add Default Character Set Filter is
+ <strong><code>org.apache.catalina.filters.AddDefaultCharsetFilter</code>
+ </strong>.</p>
+
+ </subsection>
+
+ <subsection name="Initialisation parameters">
+
+ <p>The Add Default Character Set Filter does not support any initialisation
+ parameters</p>
+
+ </subsection>
+
+</section>
+
+
+</body>
+
+
+</document>
<item name="Realm" href="realm.html"/>
<item name="Resources" href="resources.html"/>
<item name="Valve" href="valve.html"/>
+ <item name="Filters" href="filters.html"/>
</menu>
<menu name="Cluster Elements">
projects / tomcat7.0 / commitdiff