We use jsp, servlets, beans with mysql database. We don't want to restrict the characters entered by users on form fields. So how do I sanitize the input and how to make sure the output is not changed for malicious activities. Is there way while sending the output I could check if extra code has been sent. Like suppose there is search input field -- the user gives something like <script>alert("I am here")</script>. Is there anway I could know this is a html tag. If the user appends an extra parameter to a link field, is there like a before and after check I could do for the document to realize there has been a extra link field.

You really should allow users to input as little HTML and/or javascript as possible. One good solution to validating and sanitizing this stuff is to use a ready-made library like OWASP AntiSamy.

Also, take a look at OWASP Enterprise Security API for a collection of security methods that a developer needs to build a secure web application.

You should always do basic HTML-escaping of data taken from sources like user input or the database that might contain invalid characters. The <c:out> JSP tag does this, for example. That way if the user enters "<script> ..." in a field and you are printing it back again, it will be printed to the HTML as "<script> ...".

Give jsoup a go to help you out with this. Whatever you do, don't try to hack this up using regex or something, because then you'll have 2 problems. :-)

With jsoup, all you need is a short snippet of code:

String safe = Jsoup.clean(unsafe, Whitelist.basic());

You can add tags and attributes to Whitelist fairly easily, though I found it doesn't support namespace tags.