Generally people have to do a lot of work to Sanitize the input from the user ( excluding *URL* SanitizeĀ ). Here is a something that you can do with minimum effort if you are using hibernate & JSP and sanitize everything ( Courtesy Ben Wolfe ) :
1. You *don’t* have to do anything for prevention of SQL injection, its already done by hibernate by the use of the java’s PreparedStatements.
2. XSS can be prevented by displaying data using <c:out value=”${myobject.myvar}”/> instead of just ${myobject.myvar} in your jsp.