JSP语言可以通过替换输出数据的特殊字符【& < > ” ’ ( )%+-】为其他表示形式后再输出给客户端,例如:
<%
String OutStr = "<script>alert('XSS')</script>";
OutStr = OutStr.replaceAll("&","&");
OutStr = OutStr.replaceAll("<","<");
OutStr = OutStr.replaceAll(">",">");
OutStr = OutStr.replaceAll("\"",""");
OutStr = OutStr.replaceAll("\'","'");
OutStr = OutStr.replaceAll("\\(","(");
OutStr = OutStr.replaceAll("\\)",")");
OutStr = OutStr.replaceAll("%","%");
OutStr = OutStr.replaceAll("\\+","+");
OutStr = OutStr.replaceAll("-","-");
out.println(OutStr);
%>