You can use

您可以使用

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>

${fn:escapeXml(someValue)}

There is also a Good API JSoup

还有一个很好的API JSoup

Sanitize untrusted HTML

Problem

You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting(XSS) attacks.

Solution

Use the jsoup HTML Cleanerwith a configuration specified by a Whitelist.

String unsafe = 
      "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
      // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

清理不受信任的 HTML

问题

您希望允许不受信任的用户提供 HTML 以在您的网站上输出（例如作为评论提交）。您需要清理此 HTML 以避免跨站点脚本(XSS) 攻击。

解决方案

使用Cleaner具有指定配置的 jsoup HTML Whitelist。

String unsafe = 
      "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
      // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

So, all you basically need to do is the the following during processing the submitted text:

因此，在处理提交的文本期间，您基本上需要做的就是以下内容：

String text = request.getParameter("text");
String safe = Jsoup.clean(text, Whitelist.basic());
// Persist 'safe' in DB instead.

There is struts2securityaddons

有struts2securityaddons

This project contains additional configuration, interceptors, and other code used to improve the security of struts 2 applications.

该项目包含用于提高 struts 2 应用程序安全性的附加配置、拦截器和其他代码。

See also

也可以看看

• XSS Prevention oin Java
• Prevent jsp from XSS
• struts2securityaddons

• Java 中的 XSS 预防
• 防止jsp免受XSS攻击
• struts2securityaddons

Escaping input parameters as an XSS prevention mean has several disadvanteges, especially:

将输入参数转义作为 XSS 预防手段有几个缺点，尤其是：

• You can't be certain about destination of the particular input data, therefore you can't choose proper escaping scheme.
• Escaping input data masks lack of output escaping. Without consistent output escaping, you can still pass unescaped data to the unescaped output accidentially.
• Presence of escaping complicates data processing.

• 您无法确定特定输入数据的目的地，因此您无法选择合适的转义方案。
• 转义输入数据掩盖了缺乏输出转义。如果没有一致的输出转义，您仍然可以意外地将未转义的数据传递给未转义的输出。
• 转义的存在使数据处理复杂化。

Therefor it would be better to apply consistent output escaping instead.

因此，最好应用一致的输出转义。

See also:

也可以看看：

• OWASP XSS Prevention Cheat Sheet

• OWASP XSS 预防备忘单

There is no easy, out of the box solution against XSS with struts 2 tags. The OWASP ESAPI API has some support for the escaping that is very usefull, and they have tag libraries.

没有简单的、开箱即用的解决方案来对抗带有 struts 2 标签的 XSS。OWASP ESAPI API 有一些非常有用的转义支持，并且它们有标签库。

My approach was to basically to extend the stuts 2 tags in following ways.

我的方法基本上是通过以下方式扩展 stuts 2 标签。

1. Modify s:property tag so it can take extra attributes stating what sort of escaping is required (escapeHtmlAttribute="true" etc.). This involves creating a new Property and PropertyTag classes. The Property class uses OWASP ESAPI api for the escaping.
2. Change freemarker templates to use the new version of s:property and set the escaping.

1. 修改 s:property 标签，以便它可以采用额外的属性来说明需要什么样的转义（escapeHtmlAttribute="true" 等）。这涉及创建新的 Property 和 PropertyTag 类。Property 类使用 OWASP ESAPI api 进行转义。
2. 更改 freemarker 模板以使用新版本的 s:property 并设置转义。

If you didn't want to modify the classes in step 1, another approach would be to import the ESAPI tags into the freemarker templates and escape as needed. Then if you need to use a s:property tag in your JSP, wrap it with and ESAPI tag.

如果您不想修改步骤 1 中的类，另一种方法是将 ESAPI 标签导入 freemarker 模板并根据需要进行转义。然后如果你需要在你的 JSP 中使用 as:property 标签，用和 ESAPI 标签包装它。

I have written a more detailed explanation here.

我在这里写了更详细的解释。

http://www.nutshellsoftware.org/software/securing-struts-2-using-esapi-part-1-securing-outputs/

http://www.nutshellsoftware.org/software/securing-struts-2-using-esapi-part-1-securing-outputs/

I agree escaping inputs is not ideal.

我同意转义输入并不理想。