Escaping text can be rather complicated. Some things to think about (not exhaustive):
* Escaping HTML/XHTML/XML? * Do you want/need an HTML parser? * Do you escape it all/some (eg: allow "<br>" but not the rest)? * Do you escape Unicode? if so, to what target (form encoding? url encoding? other?) * What is your target encoding? (UTF-8? UTF-16? ISO-8859-1? other?) * What target are you escaping to? (html presentation? json? browser? xml attribute? yaml text? java manifests? etc...) * Is your target a url? (you have different rules for escaping in hostname vs path vs query) Joakim Erdfelt / [email protected] On Tue, Mar 6, 2018 at 10:19 AM, John English <[email protected]> wrote: > On 05/03/2018 21:01, Alexander Farber wrote: > >> Good evening, >> >> what would be a method in Jetty to escape HTML characters in a String? >> > > OWASP has an easy-to-use Encoder class: > https://www.owasp.org/index.php/OWASP_Java_Encoder_Project > > The OWASP XSS prevention cheat sheet is also worth a read: > https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_ > Prevention_Cheat_Sheet > > -- > John English > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
