How to escape double quotes in JSTL function / EL?

Question

I need to change " to \" with JSTL replace function to use the string in input tag like:

<input type="hidden" name="text" size="40" value="${text}"> 

If the ${text} has the ", the HTML will be broken.

So I tried

<input type="hidden" name="text" size="40" value="${fn:replace(text, "\"", "\\\""}"> 

and

<input type="hidden" name="text" size="40" value="${fn:replace(text, '"', '\"'}"> 

but didn't worked. The page makes errors like

org.apache.el.parser.ParseException: Encountered " "}" "} "" at line 1, column 32. Was expecting one of: "." ... ")" ... "[" ... "," ... ">" ... "gt" ... "<" ... "lt" ... ">=" ... "ge" ... "<=" ... "le" ... "==" ... "eq" ... "!=" ... "ne" ... "&&" ... "and" ... "||" ... "or" ... "*" ... "+" ... "-" ... "/" ... "div" ... "%" ... "mod" ...

How can I do this?

Update

I missed a close paren of replace function. The right one was this one with a close paren:

<input type="hidden" name="text" size="40" value="${fn:replace(text, '"', '\"')}"> 

Update2

I found out that when posting texts, using \ is not a good idea because of this reason why can't use \" in HTML input tag?. The code should be like this:

<input type="hidden" name="text" size="40" value="${fn:replace(text, '"', '&quot;')}"> 

Answer 1

It doesn't work because the \ is an escape character in Java string. To represent it literally, you need to escape it with another \ again. Also the " is a special character in EL, you also need to escape it to represent it literally. So, the proper syntax would have been:

<input type="hidden" name="text" size="40" value="${fn:replace(text, '\"', '\\\"')}"> 

But, you should actually be using fn:escapeXml() to prevent XSS. It not only escapes quotes, but also other characters.

<input type="hidden" name="text" size="40" value="${fn:escapeXml(text)}"> 

###See also:

• XSS prevention in JSP/Servlet web application

Answer 2

You are doing it wrong (with fn:replace).

The correct way is:

<input type="hidden" name="text" size="40" value="<c:out value='${text}'/>"> (actually tested code - works 100%) 

Edit: Upon more thinking:

• the way by using fn:escapeXml (as written by BalusC) works too and looks nicer (no nested tags)
• using fn:replace to mimick fn:escapeXml is asking for trouble. You will forget to include some character that should be escaped. Just use the existing, tried and tested fn:escapeXml (or c:out)