Escaping text can be rather complicated.

Some things to think about (not exhaustive):

* Escaping HTML/XHTML/XML?
* Do you want/need an HTML parser?
* Do you escape it all/some (eg: allow "<br>" but not the rest)?
* Do you escape Unicode? if so, to what target (form encoding? url
encoding? other?)
* What is your target encoding? (UTF-8? UTF-16? ISO-8859-1? other?)
* What target are you escaping to? (html presentation? json? browser? xml
attribute? yaml text? java manifests? etc...)
* Is your target a url? (you have different rules for escaping in hostname
vs path vs query)



Joakim Erdfelt / joa...@webtide.com

On Tue, Mar 6, 2018 at 10:19 AM, John English <john.fore...@gmail.com>
wrote:

> On 05/03/2018 21:01, Alexander Farber wrote:
>
>> Good evening,
>>
>> what would be a method in Jetty to escape HTML characters in a String?
>>
>
> OWASP has an easy-to-use Encoder class:
> https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
>
> The OWASP XSS prevention cheat sheet is also worth a read:
> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_
> Prevention_Cheat_Sheet
>
> --
> John English
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Reply via email to