posted 15 years ago
You can't prevent users from entering it. All what you can do at the server side is to escape HTML.
To escape it in the server side directly during request processing, you can use Apache Commons Lang StringEscapeUtils for this. You can also decide to let it as it is (it can't harm that much at the server and database side) and escape the values in the view using JSTL's c:out tag. It by default escapes HTML.