HttpServletRequest - Quick way to encode url and hidden field paramaters

Question

In my java app I'm preventing XSS attacks. I want to encode URL and hidden field paramaters in the HttpServletRequest objects I have a handle on.

How would I go about doing this?

Answer 1

To properly display user-entered data on an HTML page, you simply need to ensure that any special HTML characters are properly encoded as entities, via String#replace or similar. The good news is that there is very little you need to encode (for this purpose):

str = str.replace("&", "&amp;").replace("<", "&lt;");

You can also replace > if you like, but there's no need to.

This isn't only because of XSS, but also just so that characters show up properly. You may also want to handle ensuring that characters outside the common latin set are turned into appropriate entities, to protect against charset issues (UTF-8 vs. Windows-1252, etc.).

Answer 2

Don't do that. You're making it unnecessarily more complicated. Just escape it during display only. See my answer in your other topic: Java 5 HTML escaping To Prevent XSS

Answer 3

You can use StringEscapeUtils from the library Apache Jakarta Commons Lang

http://www.jdocs.com/lang/2.1/org/apache/commons/lang/StringEscapeUtils.html