jetspeed1にはxssの対策が行われていません */フィルターを用いて、スクリプトをURL欄に入力することを防ぐことでxss対策になります
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (request instanceof HttpServletRequest) { HttpServletRequest hreq = (HttpServletRequest) request; if (isInvalid(hreq.getQueryString()) || isInvalid(hreq.getRequestURI())) { ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST); return; } } chain.doFilter(request, response); } private boolean isInvalid(String value) { return (value != null && (value.indexOf('<') != -1 || value.indexOf('>') != -1 || value.indexOf("%3C") != -1 || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || value.indexOf("%3e") != -1)); }
