The invention discloses an XSS (cross site script) defense method and component for JAVA WEB applications. The XSS defense method includes: acquiring at least one XSS filtering strategy and storing the same in an XSS filter unit; receiving application requests including a uniform resource locator and sent by a client, and preprocessing the uniform resource locator to acquire parameter lists, wherein the parameter lists include at least one parameter keyword and at least one parameter value corresponding to the parameter keyword; acquiring at least one XSS filter strategy form the XSS filter unit and filtering the parameter lists to acquire the filtered parameter list; executing the JAVA WEB applications requested by application requests according to the filtered parameter list. Independent XSS filter strategies can be compiled for different XSS loopholes, and when new XSS loopholes appear, the XSS filter strategies need to be updated as well. Since business execution codes are not involved, a server is capable of providing long-term service online without being updated offline.