How can I escape special HTML characters in JSP?

java html jsp escaping
82,713

Short answer: 

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<c:out value="${myString}"/>

there is another option: 

<%@taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
${fn:escapeXml(myString)}
Share:
82,713
daxsorbito
Author by

daxsorbito

Symbian/C++/Java/Python/Perl developer, architect and general firefigher in the UK.

Updated on July 09, 2022

Comments

  • daxsorbito
    daxsorbito almost 2 years

    Before I go and create a custom tag or Java method to do it, what is the standard way to escape HTML characters in JSP?

    I have a String object and I want to display it in the HTML so that it appears to the user as is.

    For example:

    String a = "Hello < World";

    Would become:

    Hello &lt; World
  • Adam Gent
    Adam Gent about 13 years
    Be careful as there is a difference between escaping XML and HTML.
  • rustyx
    rustyx over 12 years
    In most cases escaping XML is sufficient. BTW, the two code examples above work exactly the same. (c:out also escapes Xml, not Html).
  • Alex Lehmann
    Alex Lehmann almost 12 years
    If the concern is XSS prevention in HTML, XML escape should be sufficient (trying not get into xml vs. html advocacy here ...)
  • priomsrb
    priomsrb over 11 years
    @AdamGent: can you give an example of a difference between escaping XML and HTML?
  • Adam Gent
    Adam Gent over 11 years
    Yeah the famous dreaded &apos;: The character entity references &lt;, &gt;, &quot; and &amp; are predefined in HTML and SGML, because <, >, " and & are already used to delimit markup. This notably does not include XML's &apos; (') entity. For a list of all named HTML character entity references, see List of XML and HTML character entity references (approximately 250 entries). -- From Wikipedia: en.wikipedia.org/wiki/Character_encodings_in_HTML
  • Adam Gent
    Adam Gent over 11 years
    What also regularly pisses me off is there is a difference between attribute content escaping and element content escaping. That is the content you put in attributes needs be escaped differently. I have a project called JATL that makes generating valid XHTML programmatically easier and respects the difference.
  • priomsrb
    priomsrb over 11 years
    There are more differences between escapeXml and escapeHtml mentioned here: stackoverflow.com/questions/3735900/…
  • MasterScrat
    MasterScrat about 8 years
    Note that this will not prevent all XSS vulnerabilities! if you have var show = ${fn:escapeXml(show)} you don't need either < or " to exploit it!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Keep the radio button selected after refreshing the page or submitting the request
JSP onload call servlet without scriptlets
JSP - Allow user to download files from server
How to add checkboxes dynamically using a JSP
How can I asynchronously show/hide div in JSP using Java
FileUpload isFormField() returning true when submitting file
What is difference index.html vs index.jsp?
Servlet request.getParameter() always returning "null"
Why does an apostophe in my Java String appear as `&#039;` in my HTML?
How to create rating system in JSP?