Package com.aquima.interactions.foundation.text

Class StringEscape

java.lang.Object
com.aquima.interactions.foundation.text.StringEscape
public final class StringEscape extends Object
Utility class for escaping special characters.
Since:
5.0
Author:
O. Kerpershoek

  • Method Details

    • forHTML

      public static String forHTML(String text)
      Escape characters for text appearing in HTML markup.

      This method exists as a defence against Cross Site Scripting (XSS) hacks. This method escapes all characters recommended by the Open Web App Security Project - link.

      The following characters are replaced with corresponding HTML character entities :

      character - encoding mapping
      Character Encoding
      < &lt;
      > &gt;
      & &amp;
      " &quot;
      ' &#039;
      ( &#040;
      ) &#041;
      # &#035;
      % &#037;
      ; &#059;
      + &#043;
      - &#045;

      Note that JSTL's <c:out> escapes only the first five of the above characters.

      Parameters:
      text - the text to be escaped to HTML
      Returns:
      the escaped text, an empty String if the text was empty or null.

    • forURL

      public static String forURL(String urlFragment)
      Synonym for URLEncoder.encode(String, "UTF-8").

      Used to ensure that HTTP query strings are in proper form, by escaping special characters such as spaces.

      It is important to note that if a query string appears in an HREF attribute, then there are two issues - ensuring the query string is valid HTTP (it is URL-encoded), and ensuring it is valid HTML (ensuring the ampersand is escaped).

      Parameters:
      urlFragment - the text to be escaped to URL
      Returns:
      the escaped text, an empty String if the text was empty or null.

    • forXML

      public static String forXML(String text)
      Escape characters for text appearing as XML data, between tags.

      The following characters are replaced with corresponding character entities :

      character - encoding mapping
      Character Encoding
      < &lt;
      > &gt;
      & &amp;
      " &quot;
      ' &#039;

      Note that JSTL's <c:out> escapes the exact same set of characters as this method. That is, <c:out> is good for escaping to produce valid XML, but not for producing safe HTML.

      Parameters:
      text - the text to be escaped to XML
      Returns:
      the escaped text, an empty String if the text was empty or null.

    • forXMLAttribute

      public static String forXMLAttribute(String text)
      Escape characters for text appearing as XML attribute data.

      The following characters are replaced with corresponding character entities:

      Escape codes
      Character Encoding
      < &lt;
      > &gt;
      & &amp;
      " &quot;
      ' &#039;
      \n &#10;
      \r &#13;

      Note that JSTL's <c:out> escapes the exact same set of characters as this method. That is, <c:out> is good for escaping to produce valid XML, but not for producing safe HTML.

      Parameters:
      text - the text to be escaped to XML
      Returns:
      the escaped text, an empty String if the text was empty or null.
      Since:
      8.4.22

    • forRegex

      public static String forRegex(String regexFragment)
      Replace characters having special meaning in regular expressions with their escaped equivalents, preceded by a '\' character.

      The escaped characters include:

      • .
      • \
      • ?, * , and +
      • &
      • :
      • |
      • { and }
      • [ and ]
      • ( and )
      • ^ and $
      Parameters:
      regexFragment - the text to be escaped to a regular expression
      Returns:
      the escaped text, an empty String if the text was empty or null.