Use jsp to filter illegal character input to prevent cross-site XSS attacks

I. Write the following filter code: package com. liufeng. sys. filter; import java. io. IOException; import java. io. printWriter; import javax. servlet. filter; import javax. servlet. filterChain; import javax. servlet. filterConfig; import javax. servlet. servletException; import javax. servlet. servletRequest; import javax. servlet. servletResponse; import javax. servlet. http. httpServletRequest; import javax. servlet. http. httpServletResponse; publ Ic class IllegalCharacterFilter implements Filter {private String [] characterParams = null; private boolean OK = true; public void destroy () {// TODO Auto-generated method stub}/*** this block is mainly used to solve the filtering functions such as parameter invalid characters */public void doFilter (ServletRequest request, ServletResponse response, filterChain arg2) throws IOException, ServletException {HttpServletRequest servletrequest = (HttpServletRequest) requ Est; HttpServletResponse servletresponse = (HttpServletResponse) response; boolean status = false; java. util. enumeration params = request. getParameterNames (); String param = ""; String paramValue = ""; servletresponse. setContentType ("text/html"); servletresponse. setCharacterEncoding ("UTF-8"); while (params. hasMoreElements () {param = (String) params. nextElement (); String [] values = request. getParam EterValues (param); paramValue = ""; if (OK) {// when the filter string is 0, do not filter for (int I = 0; I <values. length; I ++) paramValue = paramValue + values [I]; for (int I = 0; I <characterParams. length; I ++) if (paramValue. indexOf (characterParams [I])> = 0) {status = true; break; www.2cto.com} if (status) break;} // System. out. println (param + "=" + paramValue + ";"); if (status) {PrintWriter out = servletresponse. getWriter (); out. Print ("<script language = 'javascript '> alert (\" Sorry! The entered content contains invalid characters. For example :\\\"'\\\". \ ");" // + servletrequest. getRequestURL () + "window. history. go (-1); </script> ");} else arg2.doFilter (request, response);} public void init (FilterConfig config) throws ServletException {if (config. getInitParameter ("characterParams "). length () <1) OK = false; else this. characterParams = config. getInitParameter ("characterParams "). split (",") ;}} 2. Add the following content to the web. xml file: <! -- Invalid character filter --> <filter-name> IllegalCharacterFilter </filter-name> <filter-class> com. liufeng. sys. filter. illegalCharacterFilter </filter-class> <init-param> <param-name> characterParams </param-name> <param-value> ', @ </param-value> <! -- Add the characters or strings to be filtered, separated by commas --> </init-param> </filter> <filter-mapping> <filter-name> IllegalCharacterFilter </filter-name> <url-pattern>/* </url-pattern> </filter-mapping> restart your server. In this way, adding this filter can improve website security, prevent SQL injection, and prevent cross-site scripting (XSS.