How do I make sure I don\'t escape something twice?
I\'ve heard that its good practice to escape values as you receive them from a form, and also escape when you output.
I presume that you're using JSP.
Just escape during display only. There for the JSTL
E.g.
">
Escaping during input is not needed. XSS doesn't harm in raw Java code nor in SQL databases. On the other hand, you would also rather save data unmodified in DB so that you can still see what the user actually entered, so that you can if necessary do social actions on mailicious users.
If you'd like to know what to escape during input, it would be SQL injection. In such case just use PreparedStatement instead of regular Statement
whenever you want to save any user-controlled input in the database.
E.g.
create = connection.prepareStatement("INSERT INTO user (username, password) VALUES (?, MD5(?))");
create.setString(1, username);
create.setString(2, password);
create.executeUpdate();