• Post Reply Bookmark Topic Watch Topic
  • New Topic

Best tool to HTML encode data for presentation on a browser?  RSS feed

 
Tim Cooke
Marshal
Posts: 3652
184
Clojure IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I work on a Java and JSP web application and there's a few places where we are presenting data that is taken directly from a Java class. If you're interested then it's a Decorator class for an old and clunky JSP Table widget called DisplayTag.

For data that is pulled from our database I need to encode it to HTML so that we are not vulnerable to putting raw and potentially malicious data directly into the browser. Currently we use the org.owasp.esapi.ESAPI library to do ESAPI.encoder().encodeForHTML(rawVal) but it doesn't play nice when unit testing and always fails due to some Reflection lookup failure. That kinda sucks.

I also heard that the ESAPI project is dead now. Is that true?

What is the best Java tool to encode my raw data into safe HTML Strings? What do you guys use?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What's the nature of the date being encoded? If all you need is replacement of special characters (such as <) with HTML entities, then simple string replacements could be used. But I suspect you need more than that...
 
Tim Cooke
Marshal
Posts: 3652
184
Clojure IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's really not much more than that Bear.

There's some data being presented that's retrieved from the database, and that data was put in the database as the result of some user input somewhere or other. The purpose of the encoding is to ensure that if the user entered malicious data then we do not present that back to the browser as is. Perhaps the user entered some JS code, I don't want to put that back on the browser and have it interpreted as a runnable script that could result in some unwelcome action being taken against the application. Or perhaps they've entered an anchor link to somewhere we really don't want to go. Or perhaps an img tag with a huge picture of a bear. You know the deal.

The ESAPI library I mentioned is just String to String transformation where HTML markup, such as < and the like, get replaced by their HTML encoded equivalent, like &lt; or whatever it is.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In that case, I'd just write a simple method that uses String.replace to change all < and > characters to their HTML entity equivalents. I've seen some methods that also change quote characters but not sure that that's necessary unless you will using the text as attribute values. Would that satisfy the requirements?

Of course you still need to be careful where you put the text in your own markup. If you stick it inside <script> tags, well...
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just checked some code from a previous job (can't post it due to NDA restrictions), but it changed the following characters to HTML entity equivalents: < > " & and \.
 
Christian Taylor
Greenhorn
Posts: 8
1
Java Linux Netbeans IDE
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How about StringEscapeUtils from Apache Commons Lang? I've used for HTML and many other things.
 
Tim Cooke
Marshal
Posts: 3652
184
Clojure IntelliJ IDE Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for that Christian. I was just coming back to talk about that very thing.

From what Bear has told me, there doesn't appear to be much to it. Just a handful of character replacements are required. So as I already have apache commons available in the project, and I'm too lazy to roll my own, I think StringEscapeUtils will be a suitable replacement to the troublesome to test ESAPI.

Many thanks fellas.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!