js解决跨站点脚本编制问题

1.前台处理（容易绕过）：

<script type="text/javascript">
 $(document).ready(function(){
 var url=window.location.href;

 window.location.href=HTMLEnCode(url);
});

function HTMLEnCode(str) {
var s = "";
if (str.length == 0) return "";
s = str.replace(/&/g, "&gt;");
s = s.replace(/</g, "");
s = s.replace(/>/g, "");
s = s.replace(/ /g, "");
s = s.replace(/\"/g, "");
s = s.replace(/\'/g, "");
s = s.replace(/\n/g, "");
s = s.replace(/\//g, "");
s = s.replace(/\(/g, "");
s = s.replace(/\)/g, "");
s = s.replace(/\=/g, "");

return s;
} });
 </script>

2.后台处理：

    /**
     * 危险字符过滤方法
     * @param str
     * @return
     * @throws Exception
     */
    public static String dangerousCharacterFilter(String str) {
        //一种解决SQL盲注的后台过虑，其方式就是将可能出现的非法字符进行规制
        //java代码替换特殊字符
        //str="^&h\\/!@#$%^&*()+|/jgfj&%fgd''$#$@!)(}|";
        if(str!=null){
            str = str.replaceAll("(\\|)", "");
            str = str.replaceAll("(\\&)", "");
            str = str.replaceAll("(\\;)", "");
            str = str.replaceAll("(\\$)", "");
            str = str.replaceAll("(\\%)", "");
            str = str.replaceAll("(\\@)", "");
            str = str.replaceAll("(\\')", "");
            str = str.replaceAll("(\\\")", "");
            str = str.replaceAll("(\\>)", "");
            str = str.replaceAll("(\\<)", "");
            str = str.replaceAll("(\\))", "");
            str = str.replaceAll("(\\()", "");
            str = str.replaceAll("(\\+)", "");
            //str = str.replaceAll("(\\CR)", "");  //回车符 ASCII 0x0d
            //str = str.replaceAll("(\\LF)", "");  //换行 ASCII 0x0a
            str = str.replaceAll("(\\,)", "");
            str = str.replaceAll("(\\\\)", "");
            str = str.replaceAll("(\\#|$)", "");
       }
       return str;
    }

3.添加过滤器（暂时没做）