How to escape HTML in Java

By mkyong | Updated: January 20, 2020

Viewed: 10,206 (+40 pv/w)

In Java, we can use Apache commons-text, StringEscapeUtils.escapeHtml4(str) to escape HTML characters.

pom.xml


  <dependency>
      <groupId>org.apache.commons</groupId>
      <artifactId>commons-text</artifactId>
      <version>1.8</version>
  </dependency>

JavaEscapeHtmlExample.java


package com.mkyong.html;

// make sure import the correct commons-text package
import org.apache.commons.text.StringEscapeUtils;

// @deprecated as of 3.6, use commons-text StringEscapeUtils instead
//import org.apache.commons.lang3.StringEscapeUtils;

public class JavaEscapeHtmlExample {

    public static void main(String[] args) {

        String html = "<h1> hello & world</h1>";

        String output = StringEscapeUtils.escapeHtml4(html);

        System.out.println(output);

    }
}

Output


&lt;h1&gt; hello &amp; world&lt;/h1&gt;

Note
In the old days, we usually use the Apache commons-lang3, StringEscapeUtils class to escape HTML, but this class is deprecated as of 3.6.


// @deprecated as of 3.6, use commons-text
import org.apache.commons.lang3.StringEscapeUtils;

org.apache.commons.lang3.StringEscapeUtils is deprecated

References

About Author

mkyong

Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.

Comments

2 Comments

Most Voted

Newest Oldest

Inline Feedbacks

View all comments

JOSÉ PASCUAL GIMENO MARÍ

7 months ago

This library is useful to prevent stored XSS? What differences are between escapeHtml4 and owasp esapi or encoder libraries?

man

1 year ago

how make it manually, not using any apachan libs???

	This comment is spam
	This comment is irrelevant
	This comment is abusive
	Other