Console:

XSSFilter patch from str4d:
  XSSFilter and XSSRequestWrapper were from http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/
  No provided license, but it is clearly intended for public consumption.
  But most of it is boilerplate provided by the Servlet Filter system.
  In fact, now that I have stripped out his JS-specific patterns and replaced it with the whitelist,
  it is effectively identical to what I would have written from scratch.

apps/jetty/java/src/net/i2p/servlet/filters/XSSFilter.java

@@ -0,0 +1,27 @@
+package net.i2p.servlet.filters;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+public class XSSFilter implements Filter {
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+        throws IOException, ServletException {
+        chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
+    }
+}

apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java

@@ -0,0 +1,63 @@
+package net.i2p.servlet.filters;
+
+import java.util.regex.Pattern;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+//import org.owasp.esapi.ESAPI;
+
+public class XSSRequestWrapper extends HttpServletRequestWrapper {
+    // Adapted from https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties
+    private static Pattern parameterValuePattern = Pattern.compile("^[a-zA-Z0-9.,:\\-\\/+=@_ \r\n]*$");
+    private static Pattern headerValuePattern = Pattern.compile("^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$");
+
+    public XSSRequestWrapper(HttpServletRequest servletRequest) {
+        super(servletRequest);
+    }
+
+    @Override
+    public String[] getParameterValues(String parameter) {
+        String[] values = super.getParameterValues(parameter);
+
+        if (values == null) {
+            return null;
+        }
+
+        int count = values.length;
+        String[] encodedValues = new String[count];
+        for (int i = 0; i < count; i++) {
+            encodedValues[i] = stripXSS(values[i], parameterValuePattern);
+        }
+
+        return encodedValues;
+    }
+
+    @Override
+    public String getParameter(String parameter) {
+        String value = super.getParameter(parameter);
+
+        return stripXSS(value, parameterValuePattern);
+    }
+
+    @Override
+    public String getHeader(String name) {
+        String value = super.getHeader(name);
+        return stripXSS(value, headerValuePattern);
+    }
+
+    private String stripXSS(String value, Pattern whitelistPattern) {
+        if (value != null) {
+            // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
+            // avoid encoded attacks.
+            //value = ESAPI.encoder().canonicalize(value);
+
+            // Remove bad parameters entirely.
+            // NOTE: This doesn't consider whether null is acceptable.
+            if (!whitelistPattern.matcher(value).matches()) {
+                value = null;
+            }
+        }
+        return value;
+    }
+}

apps/routerconsole/jsp/web.xml

@@ -4,6 +4,15 @@
     "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
 
 <web-app>
+    <filter>
+        <filter-name>XSSFilter</filter-name>
+        <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>XSSFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
     <!-- precompiled servlets -->
     
     <!-- yeah, i'm lazy, using a jsp instead of a servlet.. -->