<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
<title>AJ Security/Prevent XSS Cross-Site Scripting Attacks</title>
<meta name="description" content="A Practical Java Web Security Library. Prevent XSS Cross-Site Scripting Attacks"/>
<meta name="keywords" content="security, xss, csrf, captcha, XSS"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<link rel="stylesheet" href="https://framework.ajaxjs.com/static/font/font.css" />
<link rel="stylesheet" href="/asset/main.css"/>
<link rel="icon" type="image/x-icon" href="https://framework.ajaxjs.com/aj-logo/logo.ico"/>
<script src="https://framework.ajaxjs.com/static/aj-docs/common.js"></script>
<script>
var userLang = navigator.language || navigator.userLanguage;
if (userLang.startsWith('zh') && location.pathname.indexOf('cn') == -1) {
confirm('欢迎!您可以改为访问中文内容。是否继续?') && location.assign('/cn');
}
var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "https://hm.baidu.com/hm.js?950ba5ba1f1fe4906c3b4cf836080f03";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
</script>
</head>
<body>
<nav>
<div>
<div class="links">
<a href="/">🏠 Home</a>
| ⚙️ Source:
<a target="_blank" href="https://github.com/lightweight-component/aj-security">Github</a>/<a target="_blank" href="https://gitcode.com/lightweight-component/aj-security">Gitcode</a>
|
<a href="/cn">Chinese Version</a>
</div>
<h1><img src="https://framework.ajaxjs.com/aj-logo/logo.png" style="vertical-align: middle;height: 45px;margin-bottom: 6px;" /> AJ Security</h1>
<h3>User Manual</h3>
</div>
</nav>
<div>
<menu>
<ul>
<li class="selected">
<a href="/">Home</a>
</li>
<li>
<a href="/install">Installation & Configuration</a>
</li>
</ul>
<h3>HTTP Web Security</h3>
<ul>
<li>
<a href="/http/http-referer">HTTP Referer Validation</a>
</li>
<li>
<a href="/http/timestamp">Timestamp Encrypted Token Validation</a>
</li>
<li>
<a href="/http/paramssign">Parameter Signature</a>
</li>
<li>
<a href="/http/ip-list">IP Whitelist/Blacklist</a>
</li>
<li>
<a href="/http/nonrepeatsubmit">Prevent Duplicate Submission</a>
</li>
</ul>
<h3>General Web Validation</h3>
<ul>
<li>
<a href="/classic/xss">Prevent XSS Attacks</a>
</li>
<li>
<a href="/classic/crlf">Prevent CRLF Attacks</a>
</li>
</ul>
<h3>Captcha Mechanism</h3>
<ul>
<li><a href="/captcha/img-captcha">Image Captcha</a></li>
<li><a href="/captcha/google">Google-based Captcha</a></li>
<li><a href="/captcha/cf">CloudFlare-based Captcha</a></li>
</ul>
<h3>HTTP Standard Authentication</h3>
<ul>
<li><a href="/auth/http-basic-auth">HTTP Basic Auth</a></li>
<li><a href="/auth/http-digest-auth">HTTP Digest Auth</a></li>
</ul>
<h3>API Features</h3>
<ul>
<li><a href="/api/limit">Rate Limiting</a></li>
</ul>
<h3>Other Practical Features</h3>
<ul>
<li><a href="/misc/desensitize">Field Desensitization</a></li>
<li><a href="/misc/encryption-api">API Encryption</a></li>
<li><a href="/misc/trace-id">Trace Tracking</a></li>
</ul>
</menu>
<article>
<h1>General Web Validation</h1>
<p>General web validation primarily addresses the prevention of attacks such as XSS, CSRF, and CRLF. Unlike other
components within this framework that rely on Spring Interceptors, the validation mechanism here is implemented using
traditional Servlet filters.</p>
<pre><code class="language-java">@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (isEnabled) {
SecurityRequest securityRequest = new SecurityRequest((HttpServletRequest) request);
SecurityResponse securityResponse = new SecurityResponse((HttpServletResponse) response);
securityResponse.isCRLFCheck = isCRLFCheck;
securityResponse.isCookiesSizeCheck = isCookiesSizeCheck;
securityResponse.maxCookieSize = maxCookieSize;
securityRequest.isXssCheck = securityResponse.isXssCheck = isXssCheck;
chain.doFilter(securityRequest, securityResponse);// Continue processing the request
}
else
chain.doFilter(request, response);
}
</code></pre>
<p>By overriding the Servlet's method in this way, even if the Java system is attacked or compromised, the filter can still
effectively prevent XSS attacks.</p>
<h1>Prevent XSS Cross-Site Scripting Attacks</h1>
<p>XSS (Cross-Site Scripting) is a type of attack where malicious code (usually JavaScript) is injected into a web
application. Attackers exploit XSS vulnerabilities to steal user data, hijack sessions, or manipulate browser behavior.</p>
<p>The key to preventing XSS attacks is to strictly validate and escape user inputs, ensuring that any dynamic content is
not interpreted as executable code before being output to a page.</p>
<h2>Configuration</h2>
<p>First, ensure the filter is enabled by setting <code>enabled: true</code>, then activate <code>xssCheck</code> to enable detection.</p>
<pre><code class="language-yaml">security:
web: # General attack prevention
enabled: true
xssCheck: true # Prevent XSS Cross-Site Scripting Attacks
</code></pre>
</article>
</div>
<footer>
AJ Security, a part of
<a href="https://framework.ajaxjs.com" target="_blank">AJ-Framework</a>
open source. Mail:frank@ajaxjs.com, visit
<a href="https://blog.csdn.net/zhangxin09" target="_blank">my blog(In Chinese)</a>. <br/> <br/> Copyright © 2025 Frank Cheung. All rights reserved.
</footer>
</body>
</html>
