Escaping html in Java

Question

How do I make sure I don\'t escape something twice?

I\'ve heard that its good practice to escape values as you receive them from a form, and also escape when you output.

Answer 1

Content that is harmless in one context can be dangerous in another context. The best way to avoid injection attacks is to prepare the content before passing it to another context. In your case html text changes its context when it is passed to the browser. The server doesn't render the html but the browser does. So be sure to pass no malicious html to the browser and mask it before sending.

Another argument to do so is that it could be possible that the attack code is assembled within the application from two ore more inputs. Each of the inputs was harmless but together they can become dangerous.