I work on a
Java and
JSP web application and there's a few places where we are presenting data that is taken directly from a Java class. If you're interested then it's a Decorator class for an old and clunky JSP Table widget called DisplayTag.
For data that is pulled from our database I need to encode it to HTML so that we are not vulnerable to putting raw and potentially malicious data directly into the browser. Currently we use the org.owasp.esapi.ESAPI library to do ESAPI.encoder().encodeForHTML(rawVal) but it doesn't play nice when
unit testing and always fails due to some Reflection lookup failure. That kinda sucks.
I also heard that the ESAPI project is dead now. Is that true?
What is the best Java tool to encode my raw data into safe HTML Strings? What do you guys use?