Class StringEscape
- Since:
- 5.0
- Author:
- O. Kerpershoek
-
Method Summary
Modifier and TypeMethodDescriptionstatic String
Escape characters for text appearing in HTML markup.static String
Replace characters having special meaning in regular expressions with their escaped equivalents, preceded by a '\' character.static String
Synonym forURLEncoder.encode(String, "UTF-8")
.static String
Escape characters for text appearing as XML data, between tags.static String
forXMLAttribute
(String text) Escape characters for text appearing as XML attribute data.
-
Method Details
-
forHTML
Escape characters for text appearing in HTML markup.This method exists as a defence against Cross Site Scripting (XSS) hacks. This method escapes all characters recommended by the Open Web App Security Project - link.
The following characters are replaced with corresponding HTML character entities :
character - encoding mapping Character Encoding < < > > & & " " ' ' ( ( ) ) # # % % ; ; + + - - Note that JSTL's <c:out> escapes only the first five of the above characters.
- Parameters:
text
- the text to be escaped to HTML- Returns:
- the escaped text, an empty String if the text was empty or null.
-
forURL
Synonym forURLEncoder.encode(String, "UTF-8")
.Used to ensure that HTTP query strings are in proper form, by escaping special characters such as spaces.
It is important to note that if a query string appears in an
HREF
attribute, then there are two issues - ensuring the query string is valid HTTP (it is URL-encoded), and ensuring it is valid HTML (ensuring the ampersand is escaped).- Parameters:
urlFragment
- the text to be escaped to URL- Returns:
- the escaped text, an empty String if the text was empty or null.
-
forXML
Escape characters for text appearing as XML data, between tags.The following characters are replaced with corresponding character entities :
character - encoding mapping Character Encoding < < > > & & " " ' ' Note that JSTL's <c:out> escapes the exact same set of characters as this method. That is, <c:out> is good for escaping to produce valid XML, but not for producing safe HTML.
- Parameters:
text
- the text to be escaped to XML- Returns:
- the escaped text, an empty String if the text was empty or null.
-
forXMLAttribute
Escape characters for text appearing as XML attribute data.The following characters are replaced with corresponding character entities:
Escape codes Character Encoding < < > > & & " " ' ' \n \r Note that JSTL's <c:out> escapes the exact same set of characters as this method. That is, <c:out> is good for escaping to produce valid XML, but not for producing safe HTML.
- Parameters:
text
- the text to be escaped to XML- Returns:
- the escaped text, an empty String if the text was empty or null.
- Since:
- 8.4.22
-
forRegex
Replace characters having special meaning in regular expressions with their escaped equivalents, preceded by a '\' character.The escaped characters include:
- .
- \
- ?, * , and +
- &
- :
- |
- { and }
- [ and ]
- ( and )
- ^ and $
- Parameters:
regexFragment
- the text to be escaped to a regular expression- Returns:
- the escaped text, an empty String if the text was empty or null.
-