CODEWITHSUNDEEP
javahtmljspescapingjstl
ict1991
ict1991

Reputation: 2100

why are the escape characters being displayed in HTML?

I need to escape some text before displaying the contents on the webpage, and this in fact is being done correctly. However when I display the String in html, the escape characters will still be displayed. The following is such an example:

hello there my ni&%ame is + - && !

and the respective string with escaping is the following: 

hello there my ni&%ame is + - && !

I've read somewhere that the core in taglib will only escape the basic ones such as >, < , ", \t and space. however none of these escape sequences are removed from the html code. Does any of you know how to be able to solve this problem please? thanks

the following is part of the code used to convert a specific character to its escape character: 

while (character != CharacterIterator.DONE ){
         if (character == '<') {
           result.append("&lt;");
         }
         else if (character == '>') {
           result.append("&gt;");
         }
         else if (character == '&') {
           result.append("&amp;");


                } .....
       return result;
}

the escaping part is done and works perfectly.. the problem occurs when i try to display the string with escaped characters onto an html page

Upvotes: 1

Views: 5689

Answers (2)

Stephen C
Stephen C

Reputation: 718826

BalusC has nailed it.

A couple of additional points:

  • If you get problems with web pages not looking right, one of the things you should do is to look at the raw HTML using your web browser's "view source" function. In this case, it would have shown the double escaping, and a quicker realization of what the problem was.

  • In HTML, you should only need to escape <, > and &. Other characters should work just fine provided that your HTML is encoded in UTF-8 (and the content type says so too).

Upvotes: 1

BalusC
BalusC

Reputation: 1108722

if (character == '<') {
    result.append("&lt;");
}
else if (character == '>') {
    result.append("&gt;");
// ...

Remove this. You don't need it. The JSTL <c:out> already does this job. 

<c:out value="${someBean.someProperty}" />

Your HTML string is otherwise escaped twice. Each & becomes an &amp; again and so on. If you really need to take the escaping in own hands (why?) then just don't use <c:out> at all:

${someBean.someProperty}

or turn off its escaping by escapeXml="false":

<c:out value="${someBean.someProperty}" escapeXml="false" />

Upvotes: 3

Related Questions