How to pass a string containing double quotes from a jsp to a servlet through URL using get method

Question

I want to set a jsp parameter to an attribute value which may contain special symbols, then use a form GET submit to pass the parameter to a servlet controller. For example, the parameter is:

<input type="hidden" name="searchTerms" value="${sessionScope.combTerms}"></input>

I noticed if sessionScope.combTerms contains double quotes, eg. location:"LOC1", the controller will only receive the value of searchTerms to be location: in which the LOC1" disappeared. What should I do to make sure whatever string in sessionScope.combTerms is passed to the controller correctly? Thanks in advance.

Answer 1

When filling HTML input values, always use fn:escapeXml(). It not only sanitizes the value from HTML entities which might risk your HTML to malform (a quote denotes end of attribute value, that's why the remnant of your value got lost), but it will also save you from XSS injection attack risks at places where you're redisplaying user-controlled input.

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>

<input type="hidden" name="searchTerms" value="${fn:escapeXml(sessionScope.combTerms)}">

No need to URLEncode it. The webbrowser will already do it automagically. Try it yourself with an & in the value. You'll see that the webbrowser changes it %26. The webbrowser will also take care about parsing XML entities so that they end up correctly in the URL. I.e. you get " in server side, not ".