Can I escape both HTML and JavaScript at the same time?

Question

For example, in my Java servlet project I return the text that user entered on the site to the same site (and on multiple places inside HTML and JavaScript, potential XSS attack).

Is it correct to use Apache StringEscapeUtils class to escape both HTML and JavaScript at the same time like this:

String sample_string=escapeEcmaScript(escapeHtml4(request.getParameter("sample_string")));

Note: escapeEcmaScript has a completely different purpose for which you can find a real world use case here: http://stackoverflow.com/q/9708242/ — BalusC, Dec 21 '15 at 09:32

score 1 · Answer 1 · answered Dec 21 '15 at 08:18

You can use either Spring's HtmlUtils:

HtmlUtils.htmlEscape(input)

or Apache commons StringEscapeUtils:

StringEscapeUtils.escapeHtml(input)

When you escape the HTML, you should not have to worry about the Javascript. Since the HTML is escaped, the Javascript will just be shown as plain text, and not run.

Can I escape both HTML and JavaScript at the same time?

1 Answers1