JSTL escaping special characters

Question

I have this weird issue with special characters. In JSP, I am using field name as id and the name can be anything like

id="&amp;lt;1 and &amp;&gt;2" (OR)
id="aaa &amp; bbb"

I don't have any other option to use ID's other than names, that what the only thing I get from backend.

So, Is there any logic to remove all the special characters using JSTL. With the present scenario, In JS I will do some operations with the ID. this is causing many issues for each kind of browser.

Please suggest, Thanks in advance...

score 52 · Accepted Answer · edited Apr 15 '20 at 06:30

52

The JSTL provides two means of escaping HTML special chars :

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
[…]
<c:out value="${myName}"/>

and

<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
[…]
${fn:escapeXml(myName)}

Both wil transform the special chars into their respective HTML entities : (< becomes <, & become &...).

Note that the IDs must be encoded in HTML, but not in JavaScript.

edited Apr 15 '20 at 06:30

Álvaro González

142,137
41
261
360

answered May 26 '11 at 07:14

JB Nizet

678,734
91
1,224
1,255

I don't need to use escapeXml because I am already getting data like < instead of – Max May 26 '11 at 07:18
So what? < contains an HTML special character : &. If < must be taken literally (i.e. be displayed as < in the web page), you must escape it, so that it becomes <. – JB Nizet May 26 '11 at 07:34
hey sorry, its not about displaying, it is about putting the value in example div id. I am not able to refer this Id in js – Max May 26 '11 at 07:36
The fact that it's not displayed doesn't change anything. If the ID must be <, it must be written as < in the HTML source code. Using document.getElementById("<") should return your div. See http://jsfiddle.net/JQrWu/ for an example. – JB Nizet May 26 '11 at 07:43
Hello
Please try this
– Max May 26 '11 at 07:54
This can't work. If the ID is someNumber:RANGE(<0.5), it must be encoded in HTML as someNumber:RANGE(<0.5), but not be encoded in Javascript. And the ID used in the JavaScript code must obviously contain the :RANGE part. The following works as expected:
Hello
. Note that passing "someNumber:RANGE(<0.5)" throgh fn:escapeXml will give "someNumber:RANGE(<0.5)". – JB Nizet May 26 '11 at 08:04
Thanks buddy, this is what I am looking for.. Please change you answer in answer section. It might be helpful for someone – Max May 26 '11 at 08:09

score 26 · Answer 2 · answered May 11 '12 at 09:36

26

I think your question was misunderstood. I arrived at the same point as you, and got the problem solved with excapeXml="false".

<c:out value="${id}" escapeXml="false"/>

I had data in database like:

<Hello World>

and escapeXml="false" made it display

<Hello World>

answered May 11 '12 at 09:36

James

1,237
2
20
32

7

Having strings escaped to HTML in the database is not a good idea. – Lluis Martinez Oct 08 '13 at 14:07

score 2 · Answer 3 · answered Sep 15 '14 at 13:04

I just faced a scenario where I had to escape ' i.e. Single Quote apart from other special characters. In that case fn:escapeXml failed. So I used JavaScriptUtils.javaScriptEscape() of Spring API, created a tag and applied. Now the issue is resolved. I also referred the URL : http://www.coderanch.com/t/528521/JSP/java/Passing-JSTL-variable-special-characters.

score 2 · Answer 4 · edited May 23 '17 at 11:45

2

I think this is what you are lokking for

Use Spring's HtmlUtils.htmlEscape(String input).

edited May 23 '17 at 11:45

Community

1
1

answered May 26 '11 at 06:29

Ramesh PVK

15,200
2
46
50

Thanks for the link but it's not my requirement, I need to do the special character handling in frontend only. Just need to handle ID – Max May 26 '11 at 06:31
1

While this will work, this is not the proper way. In webapplications, escaping should be done in the view side, not in the business side. The JSP is the view where using Java code is wrong. Use JSP taglibs/EL functions. – BalusC May 26 '11 at 11:45
@BalusC I agress, the same code can be moved to tag and use that. – Ramesh PVK May 26 '11 at 11:55
2

The JSTL `` and `fn:escapeXml()` already do that. No need for other libs. – BalusC May 26 '11 at 11:56
@BalusC Sorry, i was not aware of JSTL function. I would also recommend the ${fn:escapeXml}. Thanks. – Ramesh PVK May 26 '11 at 11:57
Guys, what he needs is javascript escape, not xml escape! Even if you escape with c:out escapeXml="true", still the things like apostrophes are not escaped to be used in javascript! – Sorin Postelnicu Dec 14 '12 at 14:50
@BalusC why we should not escape special characters in the business side – priyadarshini Jul 25 '19 at 06:28
@priyadarshini: HTML is usually not executed by Java. HTML is usually only executed by webbrowser. You can find a better answer here: https://stackoverflow.com/q/2658922 – BalusC Jul 25 '19 at 08:28
@BalusC I know HTML is usually not executed by Java but if you do XSS prevention only in client-side (like by using javascript) they can easily disable js in browser however they can hit server-side code, so I think it's always better to do in client and server side – priyadarshini Jul 25 '19 at 12:33
@priyadarshini: where did you read that escaping is done by a client side language like JavaScript? Java/JSP/JSTL/EL is not a client side language at all. Note that when I said "view side" I did not say "client side" but I was referring to the JSP page (which is still in server side). JSP files are "view" and Java code (servlets/beans/etc) are "business". Carefully read this to understand XSS better https://stackoverflow.com/questions/2658922/xss-prevention-in-jsp-servlet-web-application – BalusC Jul 25 '19 at 12:42

JSTL escaping special characters

4 Answers4

Linked