How to Escape Special HTML Characters in Jsp

How can I escape special HTML characters in JSP?

Short answer:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<c:out value="${myString}"/>

there is another option:

<%@taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
${fn:escapeXml(myString)}

Escaping special characters in JSP with JSTL from user input retrieved through AJAX as XML

Many thanks to BigMike in the comment section above, wouldn't have solved the problem if it wasn't for his hints. It had to do with something quite unrelated which coincidentally made it look as if it was an xml escaping issue. (because it was fetching comments for a different post)

/facepalm

Sample Image

Escaping HTML characters in JSP without special library

If your target platform is really Enfinity - as you are stating in your questions and in the tags - you should be using the Enfinity constructs even though this is not completely what you know from JSP. Please allow me to reopen this old thread and try to help you with that.

Enfinity got an own "templating language" called ISML. In the end ISML is precompiled to JSP. You can find a documentation with any installation of the Enfinity application server (a PDF called enfsuite_dev_programming). You should ask your project manager or build engineer if you don't have it available.

On the other hand I read from your statement that you possibly have the Enfinity Studio available (which is the IDE of Enfinity - a derivate of Eclipse. You should be able to access the developer guide through Enfinity Studios Help Menu. This menu may have some errors in some versions of the Studio unfortunately. However, you can get there through Window > Show View > Other > Help. On bottom of the help window is a "Content" link that will take you to the overview. The developer guide is under the table of contents link Enfinity Suite Application Programming Guide.

However you get to the guide: in the appendix you find a section "Reference > ISML Tags / ISML Functions / ISML Modules". Browsing through it you will find the function:

<isprint value="#value#" encoding="on|off">

Encoding is "on" by default and this statement will do exactly what you need: it will encode all HTML special characters in #value#. The special here is that the key value matches to an object in the so called Pipeline Dictionary which is a construct storing objects coming out of the Enfinity business logic workflow layer (so called pipelines).

This pipeline dictionary can be manipulated in JSP using:

Map<String, Object> pdict = getPipelineDictionary();

The dictionary is a standard java Map and can be manipulated using the known operations. However, the preferred way would be using pipelines or at least the respective ISML tag

<isset name="name" value="#value#" scope="request|session">

A full example for usage with JSP/ISML would be:

<%
String myString = "<b>Test</b>";
getPipelineDictionary().put("myDictKey", myString);
%>
<isprint value="#myDictKey#">

Escaping HTML special character with JSP or JQuery

Here is one way - seeing you already have the data on the page

<td class="description hide" id="${doc.id}"><c:out value="${doc.description}"/></td>

where

.hide is {display:none}

and then

$("#${doc.id}").show();

JSTL escaping special characters

The JSTL provides two means of escaping HTML special chars :

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
[…]
<c:out value="${myName}"/>

and

<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
[…]
${fn:escapeXml(myName)}

Both wil transform the special chars into their respective HTML entities : (< becomes <, & become &...).

Note that the IDs must be encoded in HTML, but not in JavaScript.

Where should I escape HTML strings, JSP page or Servlets?

You only need to escape it exactly there where it can harm. In this particular case, it's in the view. User-controlled HTML can harm when it get inlined among all your HTML in the view. This is a source for XSS.

In a well-designed JSP page (read: no scriptlets), JSTL offers you the <c:out> tag and fn:escapeXml() function to escape HTML/XML.

<c:out value="${param.foo}" />
<input type="text" name="foo" value="${fn:escapeXml(param.foo)}" />

Display HTML special characters in JSP: Why and When they are being escaped?

Try to define the content in standard template. To make it cross browser compatible.

String content ="
<!DOCTYPE html>
<html>
<body>

<h1>Test Me</h1>

<p>Test Me 2.</p>

</body>
</html>";

How to escape apostrophe or quotes on a JSP (used by JavaScript)

Use the Apache StringEscapeUtils.escapeJavaScript function.

Escapes the characters in a String using JavaScript String rules.

Escapes any values it finds into their JavaScript String form.
Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.)

So a tab becomes the characters '\\' and 't'.