HTML-Entity escaping to prevent XSS

Question

I have some user input. Within my code, I ensure that the following symbols are escaped:

& -> & 
< -> < 
> -> >
<         


        

Answer 1

I use the OWASP (ESAPI) library as well, to escape strings for different types of display, use :

String html = ESAPI.encoder().encodeForHTML("hello < how > are 'you'");
String html_attr = ESAPI.encoder().encodeForHTMLAttribute("hello < how > are 'you'");
String js = ESAPI.encoder().encodeForJavaScript("hello < how > are 'you'");

HTML (assume jsp)

<tag attr="<%= html_attr %>" onclick="alert('<%= js %>')"><%= html %></tag>

Update (2017)

As ESAPI Encoders are considered legacy, a better alternative has been created and is actively being maintained, I would strongly recommend using the OWASP Java Encoder instead.

If your project already uses ESAPI, an integration has been added that will allow you to use this library for encoding instead.

The usage is explained on their wiki page, but for the sake of completion, this is how you can use it to contextually encode your data:

// HTML Context
String html = Encoder.forHtml("u<ntrus>te'd'");

// HTML Attribute Context
String htmlAttr = Encoder.forHtmlAttribute("u<ntrus>te'd'");

// Javascript Attribute Context
String jsAttr = Encoder.forJavaScriptAttribute("u<ntrus>te'd'");

HTML (assume jsp)

<div data-attr="<%= htmlAttr %>" onclick="alert('<%= jsAttr %>')">
    <%= html %>
</div>

PS: more contexts exist and are supported by the library

Answer 2

I recommend you to use Appache Common Lang library to escape strings, for exmaple to escape HTML:

String escapedString = org.apache.commons.lang.StringEscapeUtils.escapeHtml(String str);

the library has many useful methods to escape in HTML, XML, Javascript.