How to pass a string containing double quotes from a jsp to a servlet through URL using get method

Question

Hi all, I want to set a jsp parameter to an attribute value which may contain special symbols, then use a form GET submit to pass the parameter to a servlet controller. For example, the parameter is:

<input type="hidden" name="searchTerms" value="${sessionScope.combTerms}"></input>

I noticed if sessionScope.combTerms contains double quotes, eg. location:"LOC1", the controller will only receive the value of searchTerms to be location: in which the LOC1" disappeared. What should I do to make sure whatever string in sessionScope.combTerms is passed to the controller correctly? Thanks in advance.

Answer 1

You encode the value before placing it into the form and then decode it in the serlvet.

(You might have already seen this as %20 in URL parameters)

Here are the respective classes.

http://download-llnw.oracle.com/javase/1.5.0/docs/api/java/net/URLEncoder.html

http://download-llnw.oracle.com/javase/1.5.0/docs/api/java/net/URLDecoder.html

Answer 2

When filling HTML input values, always use fn:escapeXml(). It not only sanitizes the value from HTML entities which might risk your HTML to malform (a quote denotes end of attribute value, that's why the remnant of your value got lost), but it will also save you from XSS injection attack risks at places where you're redisplaying user-controlled input.

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>

<input type="hidden" name="searchTerms" value="${fn:escapeXml(sessionScope.combTerms)}">

No need to URLEncode it. The webbrowser will already do it automagically. Try it yourself with an & in the value. You'll see that the webbrowser changes it %26. The webbrowser will also take care about parsing XML entities so that they end up correctly in the URL. I.e. you get " in server side, not ".

Answer 3

hi, I am trying to print "['\"Lines of Code in Build\u5931\"']" string in javascript. (This is related to localization stuff)

Myjsp.jsp

<%
String item = "['\"Lines of Code in Build\u5931\"']";
%>
<input id="logFilesLabel" type="hidden" name="logFilesLabel" value="<%=item%>">

Myjs.js

var temp = document.getElementById( "logFilesLabel1" );
if(temp){
alert(temp.value)
}

///////// But I am able to retrieve only "['", rest of the string is not coming through.. I tried to use fn:escaprXml, but it is not working as well. Anyone has any suggestions?