Escaping html in Java

后端 未结 3 796
别那么骄傲
别那么骄傲 2021-02-13 13:53

How do I make sure I don\'t escape something twice?

I\'ve heard that its good practice to escape values as you receive them from a form, and also escape when you output.

3条回答
  •  情歌与酒
    2021-02-13 14:50

    I presume that you're using JSP.

    Just escape during display only. There for the JSTL tag is perfectly suitable. It escapes HTML entities by default. Use it to display every user-controlled input, such as request URL, request headers and request parameters.

    E.g.

    ">
    

    Escaping during input is not needed. XSS doesn't harm in raw Java code nor in SQL databases. On the other hand, you would also rather save data unmodified in DB so that you can still see what the user actually entered, so that you can if necessary do social actions on mailicious users.

    If you'd like to know what to escape during input, it would be SQL injection. In such case just use PreparedStatement instead of regular Statement whenever you want to save any user-controlled input in the database.

    E.g.

    create = connection.prepareStatement("INSERT INTO user (username, password) VALUES (?, MD5(?))");
    create.setString(1, username);
    create.setString(2, password);
    create.executeUpdate();
    

提交回复
热议问题