javaweb项目使用antisamy防御xss

<dependency>
    <groupId>org.owasp.antisamy</groupId>
    <artifactId>antisamy</artifactId>
    <version>1.5.5</version>
</dependency>
<dependency>
<groupId>xerces</groupId>
   <artifactId>xercesImpl</artifactId>
   <version>2.9.0</version>
</dependency>

<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>com.web.filter.XssFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

public class XssFilter implements Filter{

	@Override
    public void destroy() {}

	@Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest)request;
        HttpServletResponse resp = (HttpServletResponse)response;
        resp.setHeader("SET-COOKIE", "JSESSIONID=" + req.getSession().getId()+ "; HttpOnly");
        
        chain.doFilter(new XssRequestWrapper(req), resp);
    }
    
    @Override
    public void init(FilterConfig fConfig) throws ServletException {}
}

public class XssRequestWrapper extends HttpServletRequestWrapper {

    private static Policy policy = null;

    static {
        String path = XssRequestWrapper.class.getClassLoader().getResource("antisamy-ebay.xml").getFile();
        System.out.println("policy_filepath:" + path);
        if (path.startsWith("file")) {
            path = path.substring(6);
        }
        try {
            policy = Policy.getInstance(path);
        } catch (PolicyException e) {
            e.printStackTrace();
        }
    }

    public XssRequestWrapper(HttpServletRequest request) {
        super(request);
    }
    
    /**
     * 参数清洗
     */
    @Override
    public String getParameter(String paramString) {
        String str = super.getParameter(paramString);
        if (str == null)
            return null;
        return xssClean(str);
    }
    
    /**
     * 请求头清洗
     */
    @Override
    public String getHeader(String paramString) {
        String str = super.getHeader(paramString);
        if (str == null)
            return null;
        return xssClean(str);
    }
    /**
     * 参数Map清洗
     */
    @SuppressWarnings("rawtypes")
    @Override
    public Map<String, String[]> getParameterMap() {
        Map<String, String[]> request_map = super.getParameterMap();
        Iterator iterator = request_map.entrySet().iterator();
        System.out.println("request_map" + request_map.size());
        while (iterator.hasNext()) {
            Map.Entry me = (Map.Entry) iterator.next();
            String[] values = (String[]) me.getValue();
            for (int i = 0; i < values.length; i++) {
                values[i] = xssClean(values[i]);
            }
        }
        return request_map;
    }
    /**
     * 参数数组清洗
     */
    @Override
    public String[] getParameterValues(String paramString) {
        String[] arrayOfString1 = super.getParameterValues(paramString);
        if (arrayOfString1 == null)
            return null;
        int i = arrayOfString1.length;
        String[] arrayOfString2 = new String[i];
        for (int j = 0; j < i; j++)
            arrayOfString2[j] = xssClean(arrayOfString1[j]);
        return arrayOfString2;
    }

    /**
     * 清洗数据
     */
    private String xssClean(String value) {
        AntiSamy antiSamy = new AntiSamy();
        try {
            final CleanResults cr = antiSamy.scan(value, policy);
            // 安全的HTML输出
            String str = StringEscapeUtils.unescapeHtml(cr.getCleanHTML());
            str = str.replaceAll(antiSamy.scan("&nbsp;",policy).getCleanHTML(),"");
            str = str.replaceAll(antiSamy.scan(""",policy).getCleanHTML(),""");
            return str;
        } catch (ScanException e) {
            e.printStackTrace();
        } catch (PolicyException e) {
            e.printStackTrace();
        }
        return value;
    }
}