Many previous studies on web security focus on the data confidentiality issue. However, confidential data in web applications may be revealed even that security mechanisms like SSL or SET are adopted in web sites. This is because there exist potential security vulnerabilities in web applications themselves. Most of these vulnerabilities are caused by the lack of solid input validations for protecting web applications. SQL injection is a typical example of attacks based on the vulnerabilities. Cross-site Scripting (XSS), price changing attack, and poisoned cookie are other known security threats of web applications. It is a challenge to develop a unified method to validate web inputs for all web applications. In this paper, we propose a framework for protecting web applications based on the XML validation technology. We use the standard XML schema as a security policy description language (SPDL). Developers can use XML schema to specify the properties of web inputs. In the proposed framework, located between the web server and web applications, web inputs are first encapsulated in an XML document generated on the fly. Then, the XML document is validated by using XML schema. If no errors are found after the XML validation, the web inputs are valid for web applications. Hence, web applications can be protected effectively. Compared with previous approaches, our framework uses the standardized XML schema as the SPDL for web applications. Therefore, no any particular compiler is required. In addition, no any network configuration is needed in our framework. Legacy web applications can also be protected without any modifications. In summary, our framework provides a simpler and more effective mechanism for securing web applications.