for the js code injection we could use some thing similar to http://htmlpurifier.org/ the above framework is in PHP. the same could be ported to java. It is basically based on the logic of whitelisting tags although some modifications need to be made in our case cause we used <a> tag to inject the script yet i think that a similar structure could work against code injection for us
regards Rahul
