Why Spring Security’s Full‑Chain Protection Can Eradicate XSS and SQL Injection

Last Wednesday night a friend called in panic because his small website had been "data‑leaked"—user phone numbers and addresses were exposed after a simple XSS filter failed.

The solution is not a single "silver bullet" but a full‑chain protection strategy that secures the application from the entry point to the database and beyond, with Spring Security as the core framework.

I have seen many developers rely on a single filter or a WAF and think they are safe, only to discover that black‑box scanners still detect stored XSS and SQL injection. Security must be built like a house: from the foundation (coding standards) to doors, windows, and perimeter walls.

Master tip 1: Do not trust a single "silver bullet"; security is a system‑level engineering effort.

The full‑chain protection consists of three steps: block the entry, cut off the channel, and guard the core. Spring Security implements all three clearly.

1. Entry protection – clean the request

Relying on manual String safeInput = input.replaceAll("<", "<") in controllers is low‑level and error‑prone. Instead, use a custom XssHttpServletRequestWrapper that sanitizes every incoming request parameter, including JSON bodies.

Custom wrapper XssHttpServletRequestWrapper performs a "deep clean" at the source.

It escapes dangerous tokens such as <script>, javascript:, onerror= and converts them to harmless characters.

It also neutralizes typical SQL‑injection payloads like ' or 1=1 -- and union select by escaping quotes.

All request types (GET, POST, application/json) are treated uniformly.

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    @Override
    public String getParameter(String name) {
        String value = super.getParameter(name);
        return cleanXss(value);
    }
    private String cleanXss(String value) {
        if (value == null) return null;
        value = value.replaceAll("<script>(.*?)</script>", "")
                     .replaceAll("javascript:", "")
                     .replaceAll("onerror(.*?)=['\"](.*?)['\"]", "");
        value = value.replace("<", "&lt;").replace(">", "&gt;");
        value = value.replace("'", "''");
        return value;
    }
}

Master tip 2: Filter as early as possible—stop malicious input before it reaches any controller.

Imagine a guard at the front door (the wrapper) inspecting every visitor; this prevents the need for ad‑hoc checks later in the controller or service layers.

2. Channel protection – use parameterized queries

Avoid string concatenation like

String sql = "SELECT * FROM users WHERE username='" + username + "'"

. Instead, use prepared statements with #{} placeholders (MyBatis) or ? in JDBC.

MyBatis example :

SELECT * FROM users WHERE username = #{username} AND password = #{password}

Prepared statements compile the SQL template once; user input is sent separately as data, eliminating injection risk.

<select id="findUser" resultType="User">
    SELECT * FROM users WHERE username = #{username} AND password = #{password}
</select>

Master tip 3: Never mix data with code; keep them separate.

SQL injection works by disguising malicious data as executable code. Parameterized queries ensure the database treats user input strictly as data.

3. Core protection – Spring Security’s comprehensive features

Authentication : supports password, phone, third‑party logins; passwords are salted and hashed.

Authorization : URL‑based access control (e.g., /admin/** requires ROLE_ADMIN).

CSRF protection : automatic token validation for state‑changing requests.

Session management : protects against session fixation, timeout, and concurrent session attacks.

HTTPS enforcement : forces secure channels for sensitive operations.

Master tip 4: Security is a chain; its strength is determined by the weakest link.

Only protecting XSS/SQL injection is like installing a thick door but leaving the windows unlocked. Spring Security provides a complete, configurable security ecosystem that ties authentication, authorization, session, CSRF, and filter‑level defenses into a unified whole.

In summary, adopting Spring Security’s full‑stack protection—from request‑level sanitization with XssHttpServletRequestWrapper, through parameterized data access, to comprehensive runtime safeguards—creates a “copper‑wall” defense that can bring vulnerability rates close to zero.