Java Regex, less than and more than sign

Question

I have a string that users are able to enter on the internet, currently it is not protected against XSS attacks. I would like to be able to replace < and > symbols. Commonly known as 'less than', 'more than', 'angle brackets' etc.

I am sure this has been asked a million times but I can't find a simple answer. I assume regex is the way forward but can't work out how to pick these characters.

Answer 1

You really should use StringEscapeUtils.escapeHtml() from Apache Commons Lang to instead of regex for this. Eg all you need to do is:

String escaped = StringEscapeUtils.escapeHtml(input);

The best practice to protect against XSS is to escape all HTML entities and this method handles those cases for you. Otherwise you'll be writing, testing and maintaining your own code to do what has already been done. See the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet for more details.

Answer 2

Java regex shouldn't require any special treatment for angle brackets. This should work fine:

myString.replace("<", "less than").replace(">", "greater than");

Hope that helps.

-tjw

Answer 3

作为正则表达式的替代方法，您可以使用像Apache Commons StringEscapeUtils类这样的实用程序类，在将HTML字符串发布回服务器并将其存储在数据库中或将其作为输出重新发送之前对其进行编码。

Answer 4

Since you tagged this jsp , I'd like to add that the normal approach to escape HTML/XML in JSP is using the JSTL <c:out> tag or fn:escapeXml() function.

Eg

<c:out value="${user.name}" />
<input type="text" name="name" value="${fn:escapeXml(user.name)}" />

No need for Apache Commons Lang. Plus, escaping should really be done in the view side, not in the model/controller side.

See also:

• XSS prevention in JSP