Recommended method for escaping HTML in Java

java html escaping
Ben Lings picture Ben Lings · Aug 12, 2009 · Viewed 354k times · Source

Is there a recommended way to escape <, >, " and & characters when outputting HTML in plain Java code? (Other than manually doing the following, that is).

String source = "The less than sign (<) and ampersand (&) must be escaped before using them in HTML";
String escaped = source.replace("<", "&lt;").replace("&", "&amp;"); // ...

Answer

dfa picture dfa · Aug 12, 2009

StringEscapeUtils from Apache Commons Lang:

import static org.apache.commons.lang.StringEscapeUtils.escapeHtml;
// ...
String source = "The less than sign (<) and ampersand (&) must be escaped before using them in HTML";
String escaped = escapeHtml(source);

For version 3:

import static org.apache.commons.lang3.StringEscapeUtils.escapeHtml4;
// ...
String escaped = escapeHtml4(source);

Related questions

HTML-Entity escaping to prevent XSS

I have some user input. Within my code, I ensure that the following symbols are escaped: & -> &amp; < -> &lt; > -> &gt; OWASP states that there are more chars to be …

Read More
How to send HTTP request in java?

In Java, How to compose a HTTP request message and send it to a HTTP WebServer?

Read More
Remove HTML tags from a String

Is there a good way to remove HTML from a Java string? A simple regex like replaceAll("\\<.*?>", "") will work, but things like &amp; wont be converted correctly and non-HTML between the two angle brackets will be removed (…

Read More