Why does an apostophe in my Java String appear as `'` in my HTML?
Solution 1
This character is escaped to prevent XSS if the resulting string is used in HTML attribute quoted with '
. See OWASP XSS Prevention Cheat Sheet.
I don't think it's a good idea to disable such security precautions, since they don't harm the normal behaviour.
Solution 2
Just like the '<', '>', and other characters, the quote is replaced by that code to avoid nasty surprises when the browser is rendering the page. Take a look at this list by W3Schools for a complete list of codes and their respective symbol.
Solution 3
If you're using JSTL the c:out tag has an escapeXml attribute, you can set it to false to avoid encoding characters.
Solution 4
Special characters appear as ampersand escaped numbers because they mean something in HTML. In this case the ' is used to start a string literal. if you want it to actually show the ' then you have to replace it with the escaping. That's the why.
I don't know why you'd want to avoid it though.
Admin
Updated on June 22, 2022Comments
-
Admin almost 2 years
Why does the Java string:
"God's wrath"
appear in HTML as
God's wrath
How to avoid this?