Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the difference between escapeXml and escapeHtml?

I would like to escape characters in JSP pages. Which is more suitable, escapeXml or escapeHtml?

like image 796
eugenn Avatar asked Sep 17 '10 13:09

eugenn


People also ask

What does escapeXml do?

The fn:escapeXml() function escapes characters that can be interpreted as XML markup.

What does escapeHtml do?

The escapeHtml function is designed to accept a string input of text and return an escaped value to interpolate into HTML.

What is escapeXml false?

To prevent the conversion, escapeXml should be explicitly set to false as follows: <c:out value="${product.listPrice}" escapeXml="false" /> Another common scenario is the display of user-supplied text, such as product descriptions or dynamic text messages.

How do I use escapeXml in Java?

JSTL fn:escapeXml() FunctionThe fn:escapeXml() function escapes the characters that would be interpreted as XML markup. It is used for escaping the character in XML markup language. The syntax used for including the fn:escapeXml() function is: java.


2 Answers

They're designed for different purposes, HTML has lots of entities that XML doesn't. XML only has 5 escapes:

&lt; represents "<"
&gt; represents ">"
&amp; represents "&"
&apos; represents '
&quot; represents "

While HTML has loads - think of &nbsp; &copy; etc. These HTML codes aren't valid in XML unless you include a definition in the header. The numeric codes (like &#169; for the copyright symbol) are valid in both.

like image 193
Rudu Avatar answered Sep 21 '22 00:09

Rudu


There's no such thing as escapeHtml in JSP. You normally use <c:out escapeXml="true"> (it by the way already defaults to true, so you can omit it) or fn:escapeXml() to escape HTML in JSP.

E.g.

<c:out value="Welcome, ${user.name}" />
<input name="foo" value="${fn:escapeXml(param.foo)}" />

It will escape them as XML entities which works perfectly fine in plain HTML as well. They are only literally called XML entities because HTML entities are invalid in XML.

See also:

  • Java 5 HTML escaping To Prevent XSS
  • Escaping html in Java
like image 35
BalusC Avatar answered Sep 22 '22 00:09

BalusC