What's the standard way of quoting text for inclusion in a web page in Java? Ie. I need a method to convert the string
Jeb said, "Hell & damnation! Is 5 > 4?" to Jeb said, "Hell & damnation! Is 5 > 4?" (I think: I've never been entirely sure what the right way to handle quotes is.) That is, I want the standard Java equivalent of Python's cgi.escape(), or Perl's CGI::escapeHTML(). To my utter amazement, I cannot find any indication that such a method even exists in the standard Java library! (I tried Google'ing and poking through the JDK 1.4 docs.) So I went looking in the source for Tomcat 4.1.27 -- surely the HTML version of the manager app must quote at least the webapp's display name, since it comes from a user-supplied file and therefore might contain funny characters. Surprisingly, the manager just lets funny characters through without touching them. Eg. if you put <display-name>foo & bar webapp</display-name> then "&" is translated back to "&" by some part of the XML-parsing chain, and is emitted as "&" in the manager HTML page. Most browsers can deal with minor violations like this, but it's still technically incorrect. Just for fun I tried this: <display-name>my <script>alert("foo");</script></display-name> ...and it works! The manager emits this HTML: <td class="row-left"><small>my <script>alert("foo");</script> webapp</small></td> and my browser pops up a JavaScript window while rendering the manager page. Cool! I doubt this is a security hole -- not many people can edit web.xml! -- but surely it at least counts as a rendering bug. ;-) So: can someone tell me what the standard way of quoting text for inclusion in a web page generated by a Java web application is? Thanks! Greg --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]