web.xml添加过滤器

    <!--XssFileter-->
    <filter>
        <filter-name>XssFilter</filter-name>
        <filter-class>com.thinkgem.jeesite.test.response.XssFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>XssFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

简化代码版本

过滤器代码

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;


public class XssFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        //使用包装器
        XssFilterWrapper xssFilterWrapper=new XssFilterWrapper((HttpServletRequest) servletRequest);
        filterChain.doFilter(xssFilterWrapper,servletResponse);
    }

    @Override
    public void destroy() {

    }
}

过滤器包装器代码

import org.springframework.web.util.HtmlUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;


public class XssFilterWrapper extends HttpServletRequestWrapper {
    public XssFilterWrapper(HttpServletRequest request) {
        super(request);
    }
    /**
     * 对数组参数进行特殊字符过滤
     */
    @Override
    public String[] getParameterValues(String name) {
//过滤掉不拦截的
        if("articleData.content".equalsIgnoreCase(name)){
            return super.getParameterValues(name);
        }

        String[] values = super.getParameterValues(name);
        if (values == null) {
            return null;
        }
        String[] newValues = new String[values.length];
        for (int i = 0; i < values.length; i++) {
            newValues[i] = HtmlUtils.htmlEscape(values[i]);//spring的HtmlUtils进行转义
        }
        return newValues;
    }
}

总结：

主要是使用Java Web的过滤器，将所有的request请求参数修改（主要是把存在xss风险的标签转义，如：<script></script>），在转义时我没有自己实现替换与转义，是直接使用的spring自带的HtmlUtils类的htmlEscape方法转义的，方便很多