How to escape Java HTML strings

Injection attacks are one of the easiest attacks that can be performed on a website.  Escaping input before printing it to an HTML page is important to avoid this.

StringEscapeUtils is a utility class available from the Apache commons packages.

How to use it in a jsp:

<%@ page import=”org.apache.commons.lang.StringEscapeUtils” %>


String unsafeString = request.getParameter(“userInput”);




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s