How do you un-encode single and double quotes in java?

Question

I use AntiSamy to sanitize user input and it works well. There is one problem: it encodes single and double quotes. So if I want to edit something, my sample's is rendered instead of my sample's--the single-quote becomes encoded.

To clarify: The broswer renders the quotes correctly, but they get saved in my db as HTML entities. So when a user loads a post for editing, the HTML entities are displayed in the text field.

1. Is there a way to get around this limitation?
2. Should I use/are there any different tool?

My users can post code and a variety of other stuff. So AntiSamy does a great job there. But I don't want to convert single and double quotes in normal text.

What options do I have?

Answer 1

If all what you need is to escape potentially dangerous characters in the input, you can store that input in the database in its raw form and encode it on output.

If encoding process is more complex (i.e. some tag whitelists or formatting rules are applied), you can store two versions of the input - an encoded HTML version for display and a raw version for editing, and update the HTML version when the raw version is modified.

Answer 2

String s = "string unencode ' "NOW"";
String unencoded = s.replaceAll("'", "'").replaceAll(""","\"");
myTextField.setText(unencoded);

Answer 3

If the AntiSamy does not have a reversing method, this thing in particular can be handled by StringEscapeUtils.unesacpeHtml(..) from commons-lang.

Browsers know how to show ', so there should not be a problem. Use the above only if you are going to display the text in an textarea or other input-control, or outside of a browser.