JAVA服务端防止XSS攻击

在网站登录页面用户名输入    1"><script>alert(10350)</script>   密码随便输然后点击登陆如下图

*需要注意的是：google浏览器好像弹不出来这个弹出框，IE是可以的* 

1.web.xml中加入以下过滤器

	<!-- web.xml中加入一下filter -->
	<filter>  
        <filter-name>XssEscape</filter-name>  
        <filter-class>com.skiocar.filter.XssFilter</filter-class>  
    </filter>  
    <filter-mapping>  
        <filter-name>XssEscape</filter-name>  
        <url-pattern>/*</url-pattern>  
        <dispatcher>REQUEST</dispatcher>  
    </filter-mapping>  
  <filter>
  

2. 新建XssFilter类实现 Filter

package com.skiocar.filter;

import java.io.IOException;  
  
import javax.servlet.Filter;  
import javax.servlet.FilterChain;  
import javax.servlet.FilterConfig;  
import javax.servlet.ServletException;  
import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.http.HttpServletRequest;  
  
public class XssFilter implements Filter {  
      
    @Override  
    public void init(FilterConfig filterConfig) throws ServletException {  
    }  
  
    @Override  
    public void doFilter(ServletRequest request, ServletResponse response,  
            FilterChain chain) throws IOException, ServletException {  
        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);  
    }  
  
    @Override  
    public void destroy() {  
    }  
}  

3.新建XssHttpServletRequestWrapper 继承 HttpServletRequestWrapper

package com.skiocar.filter;

import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletRequestWrapper;  

import org.apache.commons.lang3.StringEscapeUtils;  

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  

  public XssHttpServletRequestWrapper(HttpServletRequest request) {  
      super(request);  
  }  

  @Override  
  public String getHeader(String name) {  
      return StringEscapeUtils.escapeHtml4(super.getHeader(name));  
  }  

  @Override  
  public String getQueryString() {  
      return StringEscapeUtils.escapeHtml4(super.getQueryString());  
  }  

  @Override  
  public String getParameter(String name) {  
      return StringEscapeUtils.escapeHtml4(super.getParameter(name));  
  }  

  @Override  
  public String[] getParameterValues(String name) {  
      String[] values = super.getParameterValues(name);  
      if(values != null) {  
          int length = values.length;  
          String[] escapseValues = new String[length];  
          for(int i = 0; i < length; i++){  
              escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);  
          }  
          return escapseValues;  
      }  
      return super.getParameterValues(name);  
  }  
    
}  

会用到 commons-lang3 这个包，需要在pom文件中加入以下依赖

	<dependency>
	    <groupId>org.apache.commons</groupId>
	    <artifactId>commons-lang3</artifactId>
	    <version>3.0</version>
	</dependency>标题