Escape both HTML and JSON

Question

Is there a recommended way to escape both HTML and JSON? Currently I'm using StringEscapeUtils from Apache Commons Lang . Before putting data into my database, I first forward the input String to a method which first escapes the HTML and then escapes the JSON. The method looks like this:

private static String escapeHTMLJSON(String string) {
    return escapeJson(escapeHtml4(string));
}

Is this method resistant to dangerous HTML and JSON? I want to prevent XSS (Cross-Site Scripting).

Answer 1

I've seen the recommendation to filter input, and escape output. So most of the time it wouldn't make sense to apply both JSON encoding and HTML encoding unless you're doing something like generating JSON data within an HTML attribute.

Escaping both HTML and JSON are safe in the context of directly inserting the values into a HTML element:

<p>[INPUT]</p>

or a JSON string value:

{"key": "[INPUT]"}

They won't escape to the surrounding context.

Although there are other contexts where it may not be safe like CSS styles or URLs, and more. The correct encoding to apply depends on what the surrounding format is so should be chosen on output where this information is available.

If the values are not encoded on output, then this can cause vulnerabilites if the source of the data is changed, or if it's used in a new context.

Another problem is that the values will become corrupted. If you use JSON encoding for HTML data, or HTML encoding for JSON data, then the values will be filled with unneccesary backslash and ampersand escape sequences. If quote and bracket symbols are valid input, then you should preserve them in the input, and if they're not valid input, then you shouldn't accept them at all.