Write a simple class that implements the `HttpServletRequestWrapper` interface with a getParamater() method that returns the sanitized version of the input. Then pass and instance of your `HttpServletRequestWrapper` to Filter.doChain instead of the response object directly.