xss跨站脚本攻击的解决方案：

1.建立一个HttpServletRequestWapper的包装类，对用户发送的请求进行包装，把request中包含XSS代码进行过滤，代码如下：

importjava.util.Map;
importjavax.servlet.http.HttpServletRequest;
importjavax.servlet.http.HttpServletRequestWrapper;
publicclassXssHttpServletRequestWrapperextendsHttpServletRequestWrapper{
HttpServletRequestorgRequest=null;
publicXssHttpServletRequestWrapper(HttpServletRequestrequest){
super(request);
}
/**
*覆盖getParameter方法，将参数名和参数值都做xss过滤。
*如果需要获得原始的值，则通过super.getParameterValues(name)来获取
*getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
*/
@Override
publicStringgetParameter(Stringname){
Stringvalue=super.getParameter(xssEncode(name));
if(value!=null){
value=xssEncode(value);
}
returnvalue;
}
@Override
publicString[]getParameterValues(Stringname){
String[]value=super.getParameterValues(name);
if(value!=null){
for(inti=0;i<value.length;i++){
value[i]=xssEncode(value[i]);
}
}
returnvalue;
}
@Override
publicMapgetParameterMap(){
//TODOAuto-generatedmethodstub
returnsuper.getParameterMap();
}
/**
*覆盖getHeader方法，将参数名和参数值都做xss过滤。
*如果需要获得原始的值，则通过super.getHeaders(name)来获取
*getHeaderNames也可能需要覆盖
*这一段代码在一开始没有注释掉导致出现406错误，原因是406错误是HTTP协议状态码的一种，
*表示无法使用请求的内容特性来响应请求的网页。一般是指客户端浏览器不接受所请求页面的MIME类型。
*
@Override
publicStringgetHeader(Stringname){
Stringvalue=super.getHeader(xssEncode(name));
if(value!=null){
value=xssEncode(value);
}
returnvalue;
}
**/
/**
*将容易引起xss漏洞的半角字符直接替换成全角字符在保证不删除数据的情况下保存
*@params
*@return过滤后的值
*/
privatestaticStringxssEncode(Stringvalue){
if(value==null||value.isEmpty()){
returnvalue;
}
value=value.replaceAll("eval\\((.*)\\)","");
value=value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']","\"\"");
value=value.replaceAll("(?i)<script.*?>.*?<script.*?>","");
value=value.replaceAll("(?i)<script.*?>.*?</script.*?>","");
value=value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>","");
value=value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>","");
returnvalue;
}
}

2.使用Filter过滤器实现对Request的过滤，代码如下：

importjava.io.IOException;
importjavax.servlet.Filter;
importjavax.servlet.FilterChain;
importjavax.servlet.FilterConfig;
importjavax.servlet.ServletException;
importjavax.servlet.ServletRequest;
importjavax.servlet.ServletResponse;
importjavax.servlet.http.HttpServletRequest;
importcom.lyms.wxyl.base.wrapper.XssHttpServletRequestWrapper;
publicclassXssFilterimplementsFilter{
publicvoiddestroy(){
//TODOAuto-generatedmethodstub
}
/**
*过滤器用来过滤的方法
*/
publicvoiddoFilter(ServletRequestrequest,ServletResponseresponse,FilterChainchain)throwsIOException,ServletException{
//包装request
XssHttpServletRequestWrapperxssRequest=newXssHttpServletRequestWrapper((HttpServletRequest)request);
chain.doFilter(xssRequest,response);
}
publicvoidinit(FilterConfigfilterConfig)throwsServletException{
//TODOAuto-generatedmethodstub
}
}

3.在Web.xml中定义好Filter，例如：

<filter>
<filter-name>XssFilter</filter-name>
<filter-class>包名.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

4.Filter类需要引入javax.servlet.api的jar包，因此要在pom.xml配置jar包，代码：

<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>${servlet.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jsp-api</artifactId>
<version>2.0</version>
<scope>provided</scope>
</dependency>
<properties>
<servlet.version>3.0-alpha-1</servlet.version>
</properties>