春季安全性和特殊字符

Java Servlet标准在支持Unicode方面可怜. ISO-8859-1的默认值是无用的，并且仍然没有跨容器兼容的方法将其配置为其他值.

The Java Servlet standard is lamentably poor at supporting Unicode. The default of ISO-8859-1 is useless and there is still no cross-container-compatible means of configuring it to something else.

matteosilv的答案中的filter方法适用于请求正文.对于URL中的参数，必须使用特定于容器的选项.例如，在 Tomcat 中，在server.xml中的<Connector>上设置URIEncoding；在玻璃鱼中，它是在glassfish-web.xml中的<parameter-encoding>.

The filter method in matteosilv's answer works for request bodies. For parameters in the URL, you have to use container-specific options. For example in Tomcat, set URIEncoding on the <Connector> in server.xml; in Glassfish it's <parameter-encoding> in glassfish-web.xml.

(如果您必须以完全跨容器兼容的方式工作，则最终必须编写自己的getParameter()实现，这确实令人遗憾.BadServlet.)

(If you have to work in a fully cross-container-compatible manner you end up having to write your own implementation of getParameter(), which is sad indeed. Bad Servlet.)

无论如何，在GET URL参数中传递登录表单字段是一个坏主意.

However in any case it is a bad idea to pass login form fields in GET URL parameters.

首先，这是因为登录会引起状态更改，因此它不是幂等"的.这使GET成为不合适的方法，并导致大量实际问题，例如在导航页面时可能登录您，或者由于缓存而无法登录等.

This is firstly because a login causes a state-change to occur, so it is not "idempotent". This makes GET an unsuitable method and causes a load of practical problems like potentially logging you in when you navigate a page, or failing to log you in due to caching, and so on.

第二，URL可以通过多种方式泄漏"，包括引荐来源跟踪，日志记录，代理和浏览器历史记录保留.因此，您切勿在URL中(包括GET表单提交中)放置任何敏感数据(例如密码).

Secondly there are a range of ways URLs can 'leak', including referrer tracking, logging, proxies and browser history retention. Consequently you should never put any sensitive data such as a password in a URL, including in GET form submissions.

我建议与CharacterEncodingFilter一起使用POST表单提交.

I'd suggest using a POST form submission instead, together with the CharacterEncodingFilter.