Thank u first of all,but i have a better method ,u may use Class StringBuffer ,it can insert or append a char to a string,And as u say u must list all of invalid code,in that way the number is too much,I think u can regard 'a-z',"a-z","0-9" as valid code,and others are invalid codes.
by the way ,u can see
http://www.rgagnon.com/javadetails/java-0306.html
good luck!
If u have other good solutions of Cross Site Scripting please tell me,thank u