Write a simple class that subcalsses `HttpServletRequestWrapper` with a getParameter() method that returns the sanitized version of the input. Then pass an instance of your `HttpServletRequestWrapper` to `Filter.doChain()` instead of the request object directly.