Substitute HTML tags?

Hey guys,

Want to substitute/parse out the html tags that I receive from a previously submitted form, so users cannot submit html tags that will change the later presentation of that text.

Which is the smartest way of doing this?
Theres gotto be some class in the java class lib that will help with identifying html tags, but I havent found any so far.

Thanks in advance.

Regards

Are you talking about situations where a customer enters something like "</html>" for their name or something?

The best way to handle that is to HTML-escape the string whenever you display text on a page that came from user entry. If you are using the JSTL on your JSP pages (and if not, why not?), use of the <c:out> tag will automatically convert the angle bracket character to their HTML entity equivalents.
[ May 02, 2005: Message edited by: Bear Bibeault ]

Thx guys for your quick reply.

Im actually not using JSP for the view of the user input (Im aware that is way more convenient, but Im building on top of an older system), but the page that the user input is displayed upon is generated from a plain old servlet.

How can I HTML-escape the string from a Servlet? Havent used that technique before.

Thanks again!

Regards

Look at the replaceAll method of the java.lang.String class if you're using 1.4 or higher (otherwise, look at replace).

Change any instance of '<' to "&lt;" and any instance of '>' to "&gt;".
[ May 02, 2005: Message edited by: Ben Souther ]

Most HTML-escapers will also substitue &amp; for the & character.

There are a few other html tags that are escaped as well, right?

So, in effect, make a list with all HTML tags and a corresponding one with their replacements and do a String.replace or String.replaceAll on all the elements of the list?

Or use a HashMap with HTML tags as names and the escape sequences as values and do the String.replace/replaceAll.

i guess that will work, but is that the most efficient way of doing it??

Originally posted by Neeraj Dheer:
There are a few other html tags that are escaped as well, right?

So, in effect, make a list with all HTML tags and a corresponding one with their replacements and do a String.replace or String.replaceAll on all the elements of the list?

Or use a HashMap with HTML tags as names and the escape sequences as values and do the String.replace/replaceAll.

i guess that will work, but is that the most efficient way of doing it??

It's not a tag if it doesn't start with <.

It's not a tag if it doesn't start with <.

yup..i couldnt agree more...
i had the same problem while using XML/XSLT in servlets.
i had to escape all html characters in javascript etc in the XSL files else the transformation would throw an error.

Probably we could have some kind of 'intelligent' mechanism for escaping only the 'right characters' ?

The Java regular expression package is your friend when doing this sort of thing. See java.util.regex.Pattern etc. - your class can have a static Pattern preset to recognize certain character sequences - for example:
static Pattern ampRep = Pattern.compile("&"); static Pattern ltRep = Pattern.compile("<"); static Pattern gtRep = Pattern.compile(">");
It takes a bit of fiddling but works fast when you have it figured out.
Bill

Originally posted by William Brogden:
The Java regular expression package is your friend when doing this sort of thing. See java.util.regex.Pattern etc. - your class can have a static Pattern preset to recognize certain character sequences - for example:
static Pattern ampRep = Pattern.compile("&"); static Pattern ltRep = Pattern.compile("<"); static Pattern gtRep = Pattern.compile(">");
It takes a bit of fiddling but works fast when you have it figured out.
Bill

Yes, the String object's replaceAll function that I mentioned in my earlier post takes as it's first argument a regular expression.