Removing script tags from a string in Java

It is important to strip out script tags from input if the input will be displayed to avoid cross-site script injections.  The Java method below uses a regular expression to identify valid script tags and removes them from the string while leaving the script code between the starting and end tags.

private static String removeScriptTags(String message) {
      String scriptRegex = "<(/)?[ ]*script[^>]*>";
      Pattern pattern2 = Pattern.compile(scriptRegex);

      if(message != null) {
            Matcher matcher2 = pattern2.matcher(message);
            StringBuffer str = new StringBuffer(message.length());
            while(matcher2.find()) {
              matcher2.appendReplacement(str, Matcher.quoteReplacement(" "));
            message = str.toString();
     return message;

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s