Escaping special characters in Java

Question

The application I support is going through security review and there are some questions regarding escaping special characters. I have not been supporting this application for a long time and I'm not very knowledgeable about escaping special characters. The question I was asked is "Why are you JavaScript encoding the value and then HTML encoding it? Is that value written out in a context that requires the value to be encoded for both contexts?"

What is the difference between JavaScript encoding used and HTML encoding used? Why would I need both in my code?

Any information regarding this will be greatly appreciated!

public class HTMLEncodedResultSet extends ResultSetWrapper {

    public HTMLEncodedResultSet(ResultSet resultSet) {
        super(resultSet);
    }

    public String getString(int columnIndex) throws SQLException {
        return StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeJavaScript(super.getString(columnIndex)));
    }

    public String getString(String columnName) throws SQLException {
        return StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeJavaScript(super.getString(columnName)));
    }

}

You tagged this question with "JavaScript". This question isn't about JavaScript, so I removed the tag. — Cerbrus, May 12 '15 at 14:30
possible duplicate of [Recommended method for escaping HTML in Java](http://stackoverflow.com/questions/1265282/recommended-method-for-escaping-html-in-java) — Ashesh, May 12 '15 at 14:42
[Java is not Javascript](http://stackoverflow.com/q/245062/995714). Do not tag irrelevant tags here — phuclv, Aug 12 '15 at 04:06

score 0 · Answer 1 · answered May 12 '15 at 14:40

From the official documentation:

escapeHtml

Escapes the characters in a String using HTML entities.

For example:

"bread" & "butter"

becomes: "bread" & "butter".

escapeJavaScript

Escapes the characters in a String using JavaScript String rules.

Escapes any values it finds into their JavaScript String form. Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.)

So a tab becomes the characters '\' and 't'.

Example:

input string: He didn't say, "Stop!" output string: He didn\'t say, \"Stop!\"

So, given that JS and HTML reserved characters are not the same, in your case if the input has HTML and JS code it may be necessary to invoke both methods.

score 0 · Answer 2 · answered May 12 '15 at 14:47

It looks like that your application has JavaScript snippets stored in database. These snippets might create or contain HTML parts (i.e. for generating dynamic HTML based on interaction). When loading these snippets from DB as a string in Java a JavaScript AND HTML encoding is required.

Here an example of a value that could be stored in DB.

var obj = $('#fire');
var fps = 200;
var letters = obj.html().split('');
obj.empty();
$.each(letters,function(el){
    obj.append($('<span>'+this+'</span>'));
});
var animateLetters = obj.find('span');
setInterval(function(){
    animateLetters.each(function(){
        $(this).css('fontSize', 80+(Math.floor(Math.random()*50)));        
    });
},fps);

Referring to the documentation:

escapeHTML: Escapes the characters in a String using HTML entities.

For example:

"bread" & "butter"

becomes: "bread" & "butter".

and

escapeJavaScript: Escapes any values it finds into their JavaScript String form. Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.)

So a tab becomes the characters '\' and 't'.

The only difference between Java strings and JavaScript strings is that in JavaScript, a single quote must be escaped.

Example:

input string: He didn't say, "Stop!" output string: He didn\'t say, \"Stop!\"

take a [tour](http://stackoverflow.com/tour) of SO first and [accept an answer](http://stackoverflow.com/help/accepted-answer) if it helps you — phuclv, Aug 12 '15 at 04:12

Escaping special characters in Java

2 Answers2