We have a DB application that allows users to freely enter data. Our problem is that if a users enters HTML tags as their data and submits it to our DB, we are able to encode the response and store the data in it's original context (a requirement).
Now, here is the problem. When the data is pulled out from the DB and displayed on the .JSP, if the user had submitted HTML tags, our page doesn't display the HTML tags but rather their browser interprets the tag.
We do not want the browser to interpret the tag, just want the actual characters displayed. so if a user enteres <B> HELLO WORLD</B> we want the less than and greater than signs to be displayed..not the phrase HELLO WORLD to be displayed in bold.
I think the solution is to encode the HTML text before sending it to the browser, e.g. use < and > instead of < and >. You'll need to encode other stuff too such as & with &. I don't know if there's a standard Java API to do this but there must surely be free, open source APIs available.