关于什么是xss漏洞 参考:https://blog.****.net/cpongo11/article/details/103312716
对页面传入的参数值进行过滤,过滤方法如下
public static String xssEncode(String s) { if (s == null || s.equals("")) { return s; } try { s = URLDecoder.decode(s, "UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } //< > ' " \ / # & s = s.replaceAll("<", "<").replaceAll(">", ">"); s = s.replaceAll("\\(", "(").replaceAll("\\)", ")"); s = s.replaceAll("'", "'"); s = s.replaceAll("eval\\((.*)\\)", ""); s = s.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); s = s.replaceAll("script", ""); s = s.replaceAll("#", "#"); s = s.replaceAll("%", "%"); return s; }