How about: org.apache.commons.lang.StringEscapeUtils ? which: Escapes and unescapes Strings for Java, Java Script, HTML, XML, and SQL.
> -----Original Message----- > From: Greg Ward [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 02, 2003 4:18 PM > To: [EMAIL PROTECTED] > Subject: HTML quoting > > > What's the standard way of quoting text for inclusion in a > web page in Java? Ie. I need a method to convert the string > > Jeb said, "Hell & damnation! Is 5 > 4?" > > to > > Jeb said, "Hell & damnation! Is 5 > 4?" > > (I think: I've never been entirely sure what the right way to > handle quotes is.) That is, I want the standard Java > equivalent of Python's cgi.escape(), or Perl's CGI::escapeHTML(). > > To my utter amazement, I cannot find any indication that such > a method even exists in the standard Java library! (I tried > Google'ing and poking through the JDK 1.4 docs.) > > So I went looking in the source for Tomcat 4.1.27 -- surely > the HTML version of the manager app must quote at least the > webapp's display name, since it comes from a user-supplied > file and therefore might contain funny characters. > Surprisingly, the manager just lets funny characters through > without touching them. Eg. if you put > > <display-name>foo & bar webapp</display-name> > > then "&" is translated back to "&" by some part of the > XML-parsing chain, and is emitted as "&" in the manager HTML > page. Most browsers can deal with minor violations like > this, but it's still technically incorrect. Just for fun I > tried this: > > <display-name>my > <script>alert("foo");</script></display-name> > > ...and it works! The manager emits this HTML: > > <td class="row-left"><small>my > <script>alert("foo");</script> webapp</small></td> > > and my browser pops up a JavaScript window while rendering > the manager page. Cool! I doubt this is a security hole -- > not many people can edit web.xml! -- but surely it at least > counts as a rendering bug. ;-) > > So: can someone tell me what the standard way of quoting text > for inclusion in a web page generated by a Java web application is? > > Thanks! > > Greg > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
