Menu
How do I make sure I don't escape something twice?
I've heard that its good practice to escape values as you receive them from a form, and also escape when you output. That way you have two chances to catch something.
378
I presume that you're using JSP.
Just escape during display only. There for the JSTL <c:out> tag is perfectly suitable. It escapes HTML entities by default. Use it to display every user-controlled input, such as request URL, request headers and request parameters.
E.g.
<input type="text" name="foo" value="<c:out value="${param.foo}" />">
Escaping during input is not needed. XSS doesn't harm in raw Java code nor in SQL databases. On the other hand, you would also rather save data unmodified in DB so that you can still see what the user actually entered, so that you can if necessary do social actions on mailicious users.
If you'd like to know what to escape during input, it would be SQL injection. In such case just use PreparedStatement instead of regular Statement whenever you want to save any user-controlled input in the database.
E.g.
create = connection.prepareStatement("INSERT INTO user (username, password) VALUES (?, MD5(?))");
create.setString(1, username);
create.setString(2, password);
create.executeUpdate();
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
