unescape in javascript not working when %26 ( & sign) is in value

Question

I have the below code in my JSP. UI displays every character correctly other than "&".

<c:out value="<script>var escapedData=unescape('${column}');
$('div').html(escapedData);</script>" escapeXml="false" />  </div>

E.g. 1) working case

input = ni!er@

Value in my escapedData variable is ni%21er%40. Now when I put it in my div using $('div').html(escapedData); then o/p on html is as expected

E.g. 2) Issue case

input = nice&

Value in my escapedData variable is nice%26. Now when I put it in my div using $('div').html(escapedData); then also it displays below

$('#test20').html('nice%26');

However, when output is displayed in JSP, it just prints "nice". It truncates everything after &.

Any suggestions?

Answer 1

It looks like you have some misunderstandings what unescape(val)/escape(val) do and where you need them. And what you need to take attention of when you use .html().

HTML and URI have certain character that have special meanings. The most important ones are:

HTML: <, >, &

URI: /,?,%,&

If you want to use one of those characters in HTML or URI you need to escape them.

The escaping for URI and for HTML are different.

The functions unescape/escape (deprecated) and decodeURI/endcodeURI are for URI. But was you want is to escape your data into the HTML format.

There is no build-in function in_JS_ that does this but you could e.g. use the code of the answer to this question Can I escape html special chars in javascript?.

But as it seems that you use jQuery you could think of just using .text instead of .html as this will do the escaping for you.

An additional note:
I'm pretty sure that the var escapedData=unescape('${column}'); does not do anything. I assume that ${column} already is ni!er@/nice&.

So please check your source code. If var escapedData=unescape('${column}'); will look like var escapedData=unescape('ni!er@'); then you should remove the unescape otherwise you would not get the expected result if the ${column} contains something like e.g. %23.