Java Regex, less than and more than sign

Question

I have a string that users are able to enter on the internet, currently it is not protected against XSS attacks. I would like to be able to replace < and > symbols. Commonly known as 'less than', 'more than', 'angle brackets' etc.

I am sure this has been asked a million times but I can't find a simple answer. I assume regex is the way forward but can't work out how to pick these characters.

score 8 · Accepted Answer · edited Dec 08 '14 at 15:59

8

You really should use StringEscapeUtils.escapeHtml() from Apache Commons Lang to instead of regex for this. E.g. all you need to do is:

String escaped = StringEscapeUtils.escapeHtml(input);

The best practice to protect against XSS is to escape all HTML entities and this method handles those cases for you. Otherwise you'll be writing, testing and maintaining your own code to do what has already been done. See the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet for more details.

edited Dec 08 '14 at 15:59

Gaʀʀʏ

4,372
3
39
59

answered Apr 13 '11 at 03:26

WhiteFang34

70,765
18
106
111

Just downloaded the library. Whats the difference between: escapeHTML3() and escapeHTML4()? – Dech Apr 13 '11 at 14:13
It appears that in 3.0-beta they've split the method into two parts. The [javadoc](http://commons.apache.org/lang/api-3.0-beta/org/apache/commons/lang3/StringEscapeUtils.html#escapeHtml4%28java.lang.String%29) only says that `escapeHTML4()` is for HTML 4.0 entities. The [changelog](http://commons.apache.org/lang/upgradeto3_0.html) mentions support for more entities. You might want to stay with the 2.6 stable release until 3.0 is out of beta, it's going to cover the important cases that you need for now. – WhiteFang34 Apr 13 '11 at 22:36

score 3 · Answer 2 · answered Apr 13 '11 at 03:20

3

Java regex shouldn't require any special treatment for angle brackets. This should work fine:

myString.replace("<", "less than").replace(">", "greater than");

Hope that helps.

-tjw

answered Apr 13 '11 at 03:20

Travis Webb

14,688
7
55
109

I think that should be `myString.replace("<", "<").replace(">", ">"); ` instead. – KP Taylor Apr 13 '11 at 03:26
2

Well yea, the "less than" and "greater than" are there to stand for whatever he wants to replace them with. His question was sufficiently vague that I didn't make the assumption that you made – Travis Webb Apr 13 '11 at 03:31
Fair enough! Agreed. +1 on comment. – KP Taylor Apr 13 '11 at 03:48

score 1 · Answer 3 · answered Apr 13 '11 at 03:24

1

As an alternative to regex, you can use a utility class like the Apache Commons StringEscapeUtils class to encode your HTML strings when they are posted back to the server and before storing them in the databse or re-sending them as output.

answered Apr 13 '11 at 03:24

KP Taylor

2,100
1
17
15

score 1 · Answer 4 · edited Jun 20 '20 at 09:12

Since you tagged this jsp, I'd like to add that the normal approach to escape HTML/XML in JSP is using the JSTL <c:out> tag or fn:escapeXml() function.

E.g.

<c:out value="${user.name}" />
<input type="text" name="name" value="${fn:escapeXml(user.name)}" />

No need for Apache Commons Lang. Plus, escaping should really be done in the view side, not in the model/controller side.

Java Regex, less than and more than sign

4 Answers4

See also: