You should use AntiSamy. (That's what I did)

你应该使用AntiSamy。（这就是我所做的）

The great post how to prevent XSS attacks in different situations is posted in the following stack: Avoid XSS and allow some html tags with JavaScript

在以下堆栈中发布了如何在不同情况下防止 XSS 攻击的精彩帖子：Avoid XSS and allow some html tags with JavaScript

I've used the OWASPHTML sanitization project with much success.

我已经成功地使用了OWASPHTML 清理项目。

https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project

https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project

Policies can be defined (or predefined policies can be used) that enable you to control what types of HTML elements are allowed on the String being validated/sanitized. A listener can be used as the HTML is sanitized in order to determine what elements are getting rejected, giving you flexibility around how to communicate this back to the client. Other than an easy implementation, I also like this library because it is produced and maintained by OWASP, a long standing organization whose aim is web security.

可以定义策略（或可以使用预定义的策略），使您能够控制被验证/清理的字符串上允许使用的 HTML 元素类型。可以使用侦听器，因为 HTML 已被清理以确定哪些元素被拒绝，从而使您可以灵活地将其传达给客户端。除了简单的实现之外，我还喜欢这个库，因为它是由 OWASP 制作和维护的，OWASP 是一个长期存在的组织，其目标是网络安全。

If you want to accept HTML from the users, then AntiSamy or something like jsoup makes sense. However, if you just want a good set of escapers, you can use a library such as CSL

如果你想从用户那里接受 HTML，那么 AntiSamy 或类似 jsoup 的东西是有意义的。但是，如果你只是想要一套好的转义符，你可以使用CSL 之类的库

We have a cheat sheet online that shows how to use it in many HTML contexts (aka HTML constructs):

我们有一个在线备忘单，展示了如何在许多 HTML 上下文（又名 HTML 结构）中使用它：

I wrote a blog post on how to sanitize your inputs using OWASP library, may be can be helpful https://leantechblog.wordpress.com/2017/04/08/preventing-xss-sanitize-app-inputs/

我写了一篇关于如何使用 OWASP 库清理输入的博客文章，可能会有所帮助https://leantechblog.wordpress.com/2017/04/08/preventing-xss-sanitize-app-inputs/