什么是XSS攻击？

XSS攻击使用Javascript脚本注入进行攻击

例如在表单中注入: <script>location.href='http://www.itmayiedu.com'</script>

注意:谷歌浏览器 已经防止了XSS攻击，为了演示效果，最好使用火狐浏览器

解決方案

使用Fileter过滤器过滤器注入标签

import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import org.apache.commons.lang3.StringEscapeUtils;import org.apache.commons.lang3.StringUtils;/** * 防止XSS攻击 */public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {	HttpServletRequest request;	public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {		super(request);		this.request = request;	}	@Override	public String getParameter(String name) {		String value = request.getParameter(name);		System.out.println("name:" + name + "," + value);		if (!StringUtils.isEmpty(value)) {			// 转换Html			value = StringEscapeUtils.escapeHtml4(value);		}		return value;	}}

实际是通过转义字符来解决的