How to escape HTML in Java
In Java, we can use Apache commons-text
, StringEscapeUtils.escapeHtml4(str)
to escape HTML characters.
pom.xml
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.8</version>
</dependency>
JavaEscapeHtmlExample.java
package com.mkyong.html;
// make sure import the correct commons-text package
import org.apache.commons.text.StringEscapeUtils;
// @deprecated as of 3.6, use commons-text StringEscapeUtils instead
//import org.apache.commons.lang3.StringEscapeUtils;
public class JavaEscapeHtmlExample {
public static void main(String[] args) {
String html = "<h1> hello & world</h1>";
String output = StringEscapeUtils.escapeHtml4(html);
System.out.println(output);
}
}
Output
<h1> hello & world</h1>
Note
In the old days, we usually use the Apache commons-lang3
, StringEscapeUtils
class to escape HTML, but this class is deprecated as of 3.6.
// @deprecated as of 3.6, use commons-text
import org.apache.commons.lang3.StringEscapeUtils;
org.apache.commons.lang3.StringEscapeUtils is deprecated
This library is useful to prevent stored XSS? What differences are between escapeHtml4 and owasp esapi or encoder libraries?
how make it manually, not using any apachan libs???