Use:
StringEscapeUtils.escapeHtml("I'm coder")
Escapes the characters in a String using HTML entities.
For example:
"bread" & "butter"
Becomes:
Answer from Srikanth Puliroju on Stack Overflow
"bread" & "butter".
Use:
StringEscapeUtils.escapeHtml("I'm coder")
Escapes the characters in a String using HTML entities.
For example:
"bread" & "butter"
Becomes:
"bread" & "butter".
to quote the StringEscapeUtils.escapeHtml javadocs, as in https://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/StringEscapeUtils.html#escapeHtml%28java.lang.String%29
Supports all known HTML 4.0 entities, including funky accents. Note that the commonly used apostrophe escape character (') is not a legal entity and so is not supported).
So you have to do that manually.
I can think of several possibilities to explain why sometimes a string is not escaped:
- perhaps the original programmer was confident that at certain places the string had no special characters (however, in my opinion this would be bad programming practice; it costs very little to escape a string as protection against future changes)
- the string was already escaped at that point in the code. You definitely don't want to escape a string twice; the user will end up seeing the escape sequence instead of the intended text.
- The string was the actual html itself. You don't want to escape the html; you want the browser to process it!
EDIT -
The reason for escaping is that special characters like & and < can end up causing the browser to display something other than what you intended. A bare & is technically an error in the html. Most browsers try to deal intelligently with such errors and will display them correctly in most cases. (This will almost certainly happen in your example text if the string were text in a <div>, for instance.) However, because it is bad markup, some browsers will not work well; assistive technologies (e.g., text-to-speech) may fail; and there may be other problems.
There are several cases that will fail despite the best efforts of the browser to recover from bad markup. If your sample string were an attribute value, escaping the quote marks would be absolutely required. There's no way that a browser is going to correctly handle something like:
<img alt=""bread" & "butter"" ... >
The general rule is that any character that is not markup but might be confused as markup need to be escaped.
Note that there are several contexts in which text can appear within an html document, and they have separate requirements for escaping. The following should be escaped:
- all characters that have no representation in the character set of the document (unlikely if you are using UTF-8, but that's not always the case)
- Within attribute values, quote marks (
'or", whichever one matches the delimiters used for the attribute value itself) and the ampersand (&), but not< - Within text nodes, only
&and< - Within href values, characters that need escaping in a url (and sometimes these need to be doubly escaped so they are still escaped after the browser unescapes them once)
- Within a CDATA block, generally nothing (at the HTML level).
Finally, aside from the hazard of double-escaping, the cost of escaping all text is minimal: a tiny bit of extra processing and a few extra bytes on the network.
HTML (nowadays we would better say XML) defines many so called "special" characters, which means that these characters have special meaning for browser in contrast with "normal" characters that just mean themselves. For example, string "Hello, World!" contains only "normal" characters and thus it literally means "Hello, World!" for browser. String "<b>Hello, World!</b>", contains special characters '<', '>' and '/', and for browser it means: typeset string "Hello, World!" in bold instead of just typeset "<b>Hello, World!</b>".
Method escapeHtml (String) probably (I cannot tell for sure because I don't know how it is implemented) converts arbitrary string into HTML code that will instruct browser to literally typeset this string. For example, escapeHtml ("<b>Hello, World!</b>") whill return HTML code that will be interpreted by browser as typeset "<b>Hello, World!</b>" normally instead of typeset string "Hello, World!" in bold. If method escapeHtml (String) is implemented correctly, you should not care how HTML code produced by this method looks like. Just use it where you want to ask browser to typeset some string literally.
they come from different packages in fact
escapeHtml comes from org.commons.lang (lang 2.5 API) and let's you use a writer object. It can also escape string from an SQL source
escapeHtml4 is from org.commons.lang3 (lang 3.1 API) is specialy use to escape character from a HTML4 source. Nothing more, nothing less
They do the same job but i would recommend using "escapeHtml4" since its from a newer package
See : EscapeHtml4 and escapehtml
Note that StringEscapeUtils.escapeHtml() has issues with apostrophes