18

I would like to escape characters in JSP pages. Which is more suitable, escapeXml or escapeHtml?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
eugenn
  • 1,638
  • 6
  • 23
  • 38

4 Answers4

20

They're designed for different purposes, HTML has lots of entities that XML doesn't. XML only has 5 escapes:

&lt; represents "<"
&gt; represents ">"
&amp; represents "&"
&apos; represents '
&quot; represents "

While HTML has loads - think of &nbsp; &copy; etc. These HTML codes aren't valid in XML unless you include a definition in the header. The numeric codes (like &#169; for the copyright symbol) are valid in both.

Rudu
  • 15,682
  • 4
  • 47
  • 63
  • 1
    Ah look you added the JSP tag - I was wondering which language you were coming from. – Rudu Sep 17 '10 at 14:29
19

There's no such thing as escapeHtml in JSP. You normally use <c:out escapeXml="true"> (it by the way already defaults to true, so you can omit it) or fn:escapeXml() to escape HTML in JSP.

E.g.

<c:out value="Welcome, ${user.name}" />
<input name="foo" value="${fn:escapeXml(param.foo)}" />

It will escape them as XML entities which works perfectly fine in plain HTML as well. They are only literally called XML entities because HTML entities are invalid in XML.

See also:

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • 1
    By "to escape HTML in JSP" you mean "to escape HTML in EL", right? – David Balažic Oct 04 '16 at 17:37
  • 2
    @DavidBalažic: "to escape HTML in JSP using EL". HTML doesn't harm in EL. – BalusC Oct 04 '16 at 18:05
  • My point was that the function is an EL function and can not be used outside of EL. Note that I am talking about `fn:escapeXml` only (my first comment was badly worded as I misread your sentence). So: `c:out` is for JSP, while `fn:escapeXml` is for EL (which can also at end wind up in HTML, of course). Sorry for the confusion. – David Balažic Oct 04 '16 at 18:11
  • 1
    @DavidBalažic: c:out is to escape HTML in JSP using JSTL. – BalusC Oct 04 '16 at 18:14
1

Since you are sending HTML back to the consumer I would go with escapeHtml.

escapeXml only supports escaping the five basic XML entities (gt, lt, quot, amp, apos) whereas escapeHtml supports escaping all known HTML 4.0 entities.

MasterScrat
  • 7,090
  • 14
  • 48
  • 80
Justin Niessner
  • 242,243
  • 40
  • 408
  • 536
  • 2
    the solution above yours very clearly states "There's no such thing as escapeHtml" in JSP. Not sure who is correct here but I definitely need to escape XML and HTML characters which means I really need an escape HTML. – fIwJlxSzApHEZIl Aug 30 '13 at 18:58
1

Assuming you're referring to commons StringEscapeUtils, escapeXml only deals with <>"'& while escapeHtml covers a richer set of characters.

Jon Freedman
  • 9,469
  • 4
  • 39
  • 58