How to escape Java HTML strings


Injection attacks are one of the easiest attacks that can be performed on a website.  Escaping input before printing it to an HTML page is important to avoid this.

StringEscapeUtils is a utility class available from the Apache commons packages.

How to use it in a jsp:

<%@ page import=”org.apache.commons.lang.StringEscapeUtils” %>

<%

String unsafeString = request.getParameter(“userInput”);

out.println(StringEscapeUtils.escapeHtml(unsafeString));

%>

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s