I've been searching and have yet to see anything like this yet. Does anyone know of any APIs that will handle performing escaping of an HTML string, BUT allow specifying tags that are NOT to be escaped?
I saw a Template JSP taglib that had an escape tag, but it was only escape all or none. I think it would be a wise idea to have simple APIs, taglibs, and/or filters that could perform escaping easily but allow definable exceptions. This would keep people from having to abandon the well developed escaping methods to build their own. With all the Cross-Site Scripting vulnerabilities that seem to pop up almost daily on the web, such things really should be made available to web developers. It would be nice to extend it to include a collection of escaping methods for other things as well, like to escape strings for use in SQL.
Anyway... my primary focus is looking for something that handles selective HTML escaping. Anyone know of any such thing?
By the way, disregard my comments about escaping strings for use in SQL. This should be necessary if using good practices in Java in the first place (parameterized queries). Just have my head caught in a mix of languages where some don't have commonly included support for parameterized queries. But you get my drift as far as something that may be useful for escaping for various uses.