[jetty-users] Escape HTML in Jetty

Discussion:

Alexander Farber

2018-03-05 19:01:24 UTC

Good evening,

what would be a method in Jetty to escape HTML characters in a String?

Is StringUtil.sanitizeXmlString() suitable for that?

Thank you
Alex

Greg Wilkins

2018-03-05 21:18:57 UTC

Permalink

Alex,

note that we don't really represent our libraries as good for content
generation, as they are mostly hidden from webapps and only exposed to
embedded usage. But sanitizeXmlString should work for HTML escaping as it
does < > " \ and &. But you'd better check that there are not other
characters that need to be encoded for safe HTML injection.

cheers

Post by Alexander Farber
Good evening,
what would be a method in Jetty to escape HTML characters in a String?
Is StringUtil.sanitizeXmlString() suitable for that?
Thank you
Alex
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

--
Greg Wilkins <***@webtide.com> CTO http://webtide.com

John English

2018-03-06 16:19:59 UTC

Permalink

Post by Alexander Farber
Good evening,
what would be a method in Jetty to escape HTML characters in a String?

OWASP has an easy-to-use Encoder class:
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

The OWASP XSS prevention cheat sheet is also worth a read:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

--
John English

Joakim Erdfelt

2018-03-06 17:37:41 UTC

Permalink

Escaping text can be rather complicated.

Some things to think about (not exhaustive):

* Escaping HTML/XHTML/XML?
* Do you want/need an HTML parser?
* Do you escape it all/some (eg: allow "<br>" but not the rest)?
* Do you escape Unicode? if so, to what target (form encoding? url
encoding? other?)
* What is your target encoding? (UTF-8? UTF-16? ISO-8859-1? other?)
* What target are you escaping to? (html presentation? json? browser? xml
attribute? yaml text? java manifests? etc...)
* Is your target a url? (you have different rules for escaping in hostname
vs path vs query)

Post by John English

Post by Alexander Farber
Good evening,
what would be a method in Jetty to escape HTML characters in a String?

https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_
Prevention_Cheat_Sheet
--
John English
_______________________________________________
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Alexander Farber

2018-03-07 08:52:35 UTC

Permalink

Thank you, I will switch to using OWASP