Configuring Input Filtering

You can configure the input filter to prevent bad data from being stored in the database. The properties from emxSystem.properties defined in this task are only used if input filtering is enabled in the web.xml file (step 1).

Note: If you add other filters to the web.xml file, insert them AFTER the security filters so that they cannot override the security filters.

See Also
Configuring Properties
  1. To enable input filtering, follow these steps:
    1. Open the web.xml file used by the TomCat server for editing.
    2. Add these lines:

      Note: You might already have enabled the input filter if you performed the Preventing URL Redirection task.
      <!-- XSS Input Filter filter -->
        <filter>
          <filter-name>XSSInputFilter</filter-name>
          <filter-class>com.matrixone.apps.domain.util.XSSInputFilter</filter-class>
        </filter>

    3. To define URL patterns to be allowed when filtering is used, insert the init-param element prior to the close filter tag as follows:

      <!-- XSS Input Filter filter -->
        <filter>
          <filter-name>XSSInputFilter</filter-name>
          <filter-class>com.matrixone.apps.domain.util.XSSInputFilter</filter-class>
            <init-param>
              <param-name>skipFilterUrlPatterns</param-name>
              <param-value>/resources/AppsMngt/security/encrypt*,/resources/AppsMngt/security/decrypt*</param-value>
            </init-param>
        </filter>

      The above <param-value> shows a recommended comma-separated list of URL patterns. Update this text as required for your installation.

    4. Add these lines:

      <!--XSS Input Filter mapping -->
        <filter-mapping>
          <filter-name>XSSInputFilter</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>

    5. Save the web.xml file.
  2. Create or open the text file to contain customized properties for emxSystem.properties. For more information, see Editing Properties Using MQL.
  3. To define characters that cannot be stored in the database, follow these steps:
    1. Add or edit this line in the file used to import properties into the emxSystem.properties page object:

      emxFramework.InputFilter.BadChars=

      By default, no characters are defined.

    2. Set the value for this property as a pipe-delimited list of characters.

      For example, you can set the value as shown here to provide a baseline level of protection:

      emxFramework.InputFilter.BadChars= <|>

      For a higher level of protection, you could set the value to <|>|"|'|%|;|)|(|&|+|-). Prohibiting certain characters might result in functional issues for apps that rely on those characters. Specifically, this table shows the impact of prohibiting some of these characters:

      Character Functional Impact
      < > % Affects the rich text editor
      % Used as a space in URLs. If defined as a bad character, URLs to be saved cannot include spaces.
      & The getQueryString method uses this character, and any string that uses the & becomes invalid.
      + Check in and check out ticket generation uses the + symbols.
      " Used in runMQL.jsp when schema names contain spaces. If runMQL.jsp is removed or not used, add this to the list of bad characters.

  4. To define regular expressions that cannot be stored in the database, follow these steps:
    1. Add or edit this line in the file used to import properties into the emxSystem.properties page object:

      emxFramework.InputFilter.BadRegExp=

    2. Set the value for this property as a pipe-delimited list of regular expressions.

      For example, you can set the value as shown here:

      emxFramework.InputFilter.BadRegExp=(?is)prog(ram)?\\s*\\[.*\\]|(?is)exec(ute)?\\s*\\[.*\\]|(?is)eval.*\\(|(?s)".*\\*|(?s)'.*\\*|
      (?s)\\<.*\\>|(?s)\\>.*\\<|(?is)\\/\\*|(?is)<!--|(?is)-->|(\\b)(on\\S+)(\\s*)=|(?i)\\\\x[a-f0-9]{2}|
      (?i)\\\\u00[a-f0-9]{2}|(?is)[^:]\\/\\/|(?s)"\\s*\\).*|(?s)'\\s*\\).*

      If a regular expression in any payload or subpayload matches one of those defined in this property, an exception is thrown and a null payload is returned to the user.

  5. To prevent parameters used by apps that include characters added to the emxFramework.InputFilter.BadChars property from being filtered, follow these steps:

    If a parameter uses a character defined in the emxFramework.InputFilter.BadChars property and is not listed in this property, the command that uses the parameter will fail.

    1. Add or edit this line in the file used to import properties into the emxSystem.properties page object:

      emxFramework.InputFilter.ExcludeParameters = ftsFilters|updateWidget|UOM|WeightUofM|evolutionExpression|MasterArtworkCopyText|CurrentCopyText|CopyText|newCopyText|Copy Text|attrNameValList|customTableColValue

    2. Set the value for this property as a pipe-delimited list of parameters. Any parameter added to does not prohibit the strings defined in the emxFramework.InputFilter.BadRegExp property.
  6. When finished updating the text file with all properties you want to modify, including the ones shown here, use the text file to modify the emxSystem.properties page object. For more information, seeEditing Properties Using MQL.