# How do I prevent people from doing XSS in Java?

What should I do to prevent XSS in Java? I"m using Spring MVC. Right now I am just putting all places where I output user text into <c:out /> tags, but this seems error prone as I might miss a place.

Is there an easy systematic way to prevent this? Maybe like a filter or something?

EDIT: I"m collecting input by specifying @RequestParam parameters on my controller methods.

In Spring you can escape the html from JSP pages generated by <form> tags. This closes off a lot avenues for XSS attacks, and can be done automatically in three ways:

For the entire application in the web.xml file:

<context-param>

<param-name>defaultHtmlEscape</param-name>

<param-value>true</param-value>

</context-param>

For all forms on a given page in the file itself:

<spring:htmlEscape defaultHtmlEscape="true" /> 

For each form:

<form:input path="someFormField" htmlEscape="true" />