public final class EscapeChars
extends Object
To keep you safe by default, WEB4J goes to some effort to escape characters in your data when appropriate, such that you usually don't need to think too much about escaping special characters. Thus, you shouldn't need to directly use the services of this class very often.
For Model Objects containing free form user input, it is highly recommended that you use SafeText, not String. Free form user input is open to malicious use, such as Cross Site Scripting attacks. Using SafeText will protect you from such attacks, by always escaping special characters automatically in its toString() method.
The following WEB4J classes will automatically escape special characters for you, when needed :
Modifier and Type | Method and Description |
---|---|
static String |
forHrefAmpersand(String aURL)
Escape all ampersand characters in a URL.
|
static String |
forHTML(String aText)
Escape characters for text appearing in HTML markup.
|
static String |
forJSON(String aText)
Escapes characters for text appearing as data in the
Javascript Object Notation
(JSON) data interchange format.
|
static String |
forRegex(String aRegexFragment)
Replace characters having special meaning in regular expressions
with their escaped equivalents, preceded by a '\' character.
|
static String |
forReplacementString(String aInput)
Escape '$' and '\' characters in replacement strings.
|
static String |
forScriptTagsOnly(String aText)
Disable all SCRIPT tags in aText.
|
static String |
forURL(String aURLFragment)
Synonym for URLEncoder.encode(String, "UTF-8").
|
static String |
forXML(String aText)
Escape characters for text appearing as XML data, between tags.
|
static String |
forXMLLite(String aText)
Escape characters for text appearing as XML data, between tags.
|
static String |
toDisableTags(String aText)
Return aText with all '<' and '>' characters
replaced by their escaped equivalents.
|
static String |
xmlForEditor(String aText)
Replaces XML substitutions, such as <, on the human readable characters, such as <.
|
public static String forHrefAmpersand(String aURL)
Replaces all '&' characters with '&'.
An ampersand character may appear in the query string of a URL. The ampersand character is indeed valid in a URL. However, URLs usually appear as an HREF attribute, and such attributes have the additional constraint that ampersands must be escaped.
The JSTL
public static String forHTML(String aText)
This method exists as a defence against Cross Site Scripting (XSS) hacks. The idea is to neutralize control characters commonly used by scripts, such that they will not be executed by the browser. This is done by replacing the control characters with their escaped equivalents. See SafeText as well.
The following characters are replaced with corresponding HTML character entities :
Character | Replacement |
---|---|
< | < |
> | > |
& | & |
" | " |
\t | |
! | ! |
# | # |
$ | $ |
% | % |
' | ' |
( | ( |
) | ) |
* | * |
+ | + |
, | , |
- | - |
. | . |
/ | / |
: | : |
; | ; |
= | = |
? | ? |
@ | @ |
[ | [ |
\ | \ |
] | ] |
^ | ^ |
_ | _ |
` | ` |
{ | { |
| | | |
} | } |
~ | ~ |
Note that JSTL's <c:out>
escapes only the first
five of the above characters.
public static String forJSON(String aText)
The following commonly used control characters are escaped :
Character | Escaped As |
---|---|
" | \" |
\ | \\ |
/ | \/ |
back space | \b |
form feed | \f |
line feed | \n |
carriage return | \r |
tab | \t |
See RFC 4627 for more information.
public static String forRegex(String aRegexFragment)
The escaped characters include :
public static String forReplacementString(String aInput)
Synonym for Matcher.quoteReplacement(String).
The following methods use replacement strings which treat '$' and '\' as special characters:
If replacement text can contain arbitrary characters, then you will usually need to escape that text, to ensure special characters are interpreted literally.
public static String forScriptTagsOnly(String aText)
Insensitive to case.
public static String forURL(String aURLFragment)
Used to ensure that HTTP query strings are in proper form, by escaping special characters such as spaces.
It is important to note that if a query string appears in an HREF attribute, then there are two issues - ensuring the query string is valid HTTP (it is URL-encoded), and ensuring it is valid HTML (ensuring the ampersand is escaped).
public static String forXML(String aText)
The following characters are replaced with corresponding character entities :
Character | Encoding |
---|---|
< | < |
> | > |
& | & |
" | " |
' | ' |
Note that JSTL's <c:out>
escapes the exact same set of
characters as this method. That is, <c:out>
is good for escaping to produce valid XML, but not for producing safe
HTML.
public static String forXMLLite(String aText)
The following characters are replaced with corresponding character entities :
Character | Encoding |
---|---|
< | < |
> | > |
& | & |
Note that JSTL's <c:out>
escapes the exact same set of
characters as this method. That is, <c:out>
is good for escaping to produce valid XML, but not for producing safe
HTML.
public static String toDisableTags(String aText)
public static String xmlForEditor(String aText)
aText
- the input textCopyright © 2010-2020 Toolsverse. All Rights Reserved.