XSS Escape characters before taking data into java. JSTL

Question

I know how to escape XSS while displaying data, but how can I escape it before taking it? Is there a way, that I can escape the data which is in input from user before taking the code to java? Or is it impossible and I have to do it in java code?

The code:

<body>
    <input type="text" name="name" value=<c:out value="Name"/>>
    <input type="text" name="surname" value=<c:out value="Surname"/>>
    <input type="submit" name="continue" value="Continue">
</body>

Doesn't work, and it makes sense I guess, because it escapes "Name" and not what user put inside it. So, can I escape it before or do I have to do it later in java code?

Answer 1

You don't want to escape what the user enters. That's the real data.

When displaying this data in an HTML document, it needs to be HTML-escaped. But if you change the way your application works and decide to serialize the data to JSON, then it won't need to be HTML-escaped, but will need to be JSON-escaped. And when displaying the data in the console, it doesn't need to be escaped at all.

So you don't want to have HTML-escaped strings in your database. You want the real data. Escaping depends on how the data is displayed or serialized.