• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Best tool to HTML encode data for presentation on a browser?

 
Sheriff
Posts: 5555
326
IntelliJ IDE Python Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I work on a Java and JSP web application and there's a few places where we are presenting data that is taken directly from a Java class. If you're interested then it's a Decorator class for an old and clunky JSP Table widget called DisplayTag.

For data that is pulled from our database I need to encode it to HTML so that we are not vulnerable to putting raw and potentially malicious data directly into the browser. Currently we use the org.owasp.esapi.ESAPI library to do ESAPI.encoder().encodeForHTML(rawVal) but it doesn't play nice when unit testing and always fails due to some Reflection lookup failure. That kinda sucks.

I also heard that the ESAPI project is dead now. Is that true?

What is the best Java tool to encode my raw data into safe HTML Strings? What do you guys use?
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What's the nature of the date being encoded? If all you need is replacement of special characters (such as <) with HTML entities, then simple string replacements could be used. But I suspect you need more than that...
 
Tim Cooke
Sheriff
Posts: 5555
326
IntelliJ IDE Python Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's really not much more than that Bear.

There's some data being presented that's retrieved from the database, and that data was put in the database as the result of some user input somewhere or other. The purpose of the encoding is to ensure that if the user entered malicious data then we do not present that back to the browser as is. Perhaps the user entered some JS code, I don't want to put that back on the browser and have it interpreted as a runnable script that could result in some unwelcome action being taken against the application. Or perhaps they've entered an anchor link to somewhere we really don't want to go. Or perhaps an img tag with a huge picture of a bear. You know the deal.

The ESAPI library I mentioned is just String to String transformation where HTML markup, such as < and the like, get replaced by their HTML encoded equivalent, like &lt; or whatever it is.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In that case, I'd just write a simple method that uses String.replace to change all < and > characters to their HTML entity equivalents. I've seen some methods that also change quote characters but not sure that that's necessary unless you will using the text as attribute values. Would that satisfy the requirements?

Of course you still need to be careful where you put the text in your own markup. If you stick it inside <script> tags, well...
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just checked some code from a previous job (can't post it due to NDA restrictions), but it changed the following characters to HTML entity equivalents: < > " & and \.
 
Greenhorn
Posts: 8
1
Netbeans IDE Java Linux
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How about StringEscapeUtils from Apache Commons Lang? I've used for HTML and many other things.
 
Tim Cooke
Sheriff
Posts: 5555
326
IntelliJ IDE Python Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for that Christian. I was just coming back to talk about that very thing.

From what Bear has told me, there doesn't appear to be much to it. Just a handful of character replacements are required. So as I already have apache commons available in the project, and I'm too lazy to roll my own, I think StringEscapeUtils will be a suitable replacement to the troublesome to test ESAPI.

Many thanks fellas.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic