Our Java website has encountered some problems today and requires a quick solution to protect the website against malicious cross-site scripting (XSS) attempts. I'm not saying this is a perfect solution, but it is easy to implement and correct vulnerabilities, forms and URL injection. We can basically intercept every request sent to the Web application through the Servlet filter. Then we use an HttpServletRequestWrapper to wrap and override the getParameter method to clear any possible Script Injection. Here's the Filter: package com. greatwebguy. filter; import java. io. IOException; import javax. servlet. filter; import javax. servlet. filterChain; import javax. servlet. filterConfig; import javax. servlet. servletException; import javax. servlet. servletRequest; import javax. servlet. servletResponse; import javax. servlet. http. httpServletRequest; public class CrossScriptingFilter implements Filter {public void init (FilterConfig filterConfig) throws ServletException {this. filterConfig = filterConfig;} public void destroy () {this. filterConfig = null;} public void doFilter (ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {chain. doFilter (new RequestWrapper (HttpServletRequest) request), response) ;}} Here's the wrapper: package com. greatwebguy. filter; import javax. servlet. http. httpServletRequest; import javax. servlet. http. extends; public final class RequestWrapper extends {public RequestWrapper (HttpServletRequest servletRequest) {super (servletRequest);} public String [] getParameterValues (String parameter) {String [] values = super. getParameterValues (parameter); if (values = null) {return null;} int count = values. length; String [] encodedValues = new String [count]; for (int I = 0; I <count; I ++) {encodedValues [I] = cleanXSS (values [I]);} return encodedValues;} public String getParameter (String parameter) {String value = super. getParameter (parameter); if (value = null) {return null;} return cleanXSS (value);} public String getHeader (String name) {String value = super. getHeader (name); if (value = null) return null; return cleanXSS (value);} private String cleanXSS (String value) {// You'll need to remove the spaces from the html entities below value = value. replaceAll ("<", "& lt ;"). replaceAll (">", "& gt;"); value = value. replaceAll ("\ (", "& #40 ;"). replaceAll ("\)", "& #41;"); value = value. replaceAll ("'", "& #39;"); value = value. replaceAll ("eval \\((. *) \) "," "); value = value. replaceAll ("[\" \ '] [\ s] * javascript :(. *) [\ "\ ']", "\" \ ""); value = value. replaceAll ("script", ""); return value ;}} added to your web. top of xml: www.2cto.com <filter> <filter-name> XSS </filter-name> <display-name> XSS </display-name> <description> </description> <filter-class> com. greatwebguy. filter. crossScriptingFilter </filter-class> </filter> <filter-mapping> <filter-name> XSS </filter-name> <url-pattern>/* </url-pattern> </filter-mapping>