Write a simple class that subcalsses `HttpServletRequestWrapper` with a getParameter() method that returns the sanitized version of the input. Then pass an instance of your `HttpServletRequestWrapper` to Filter.doChain instead of the response object directly.