Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Escape HTML in Jetty
Escaping text can be rather complicated.

Some things to think about (not exhaustive):

* Escaping HTML/XHTML/XML? 
* Do you want/need an HTML parser?
* Do you escape it all/some (eg: allow "<br>" but not the rest)?
* Do you escape Unicode? if so, to what target (form encoding? url encoding? other?)
* What is your target encoding? (UTF-8? UTF-16? ISO-8859-1? other?)
* What target are you escaping to? (html presentation? json? browser? xml attribute? yaml text? java manifests? etc...)
* Is your target a url? (you have different rules for escaping in hostname vs path vs query)



Joakim Erdfelt / joakim@xxxxxxxxxxx

On Tue, Mar 6, 2018 at 10:19 AM, John English <john.foreign@xxxxxxxxx> wrote:
On 05/03/2018 21:01, Alexander Farber wrote:
Good evening,

what would be a method in Jetty to escape HTML characters in a String?

 OWASP has an easy-to-use Encoder class:
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

The OWASP XSS prevention cheat sheet is also worth a read:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

--
John English

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Back to the top