I would like to escape characters in JSP pages. Which is more suitable, escapeXml or escapeHtml?
views:
96answers:
4
+1
A:
Since your sending HTML back to the consumer, I would go with escapeHtml.
escapeXml only supports escaping the five basic XML entities (gt, lt, quot, amp, apos) whereas escapeHtml supports escaping all known HTML 4.0 entities.
Justin Niessner
2010-09-17 13:54:36
+3
A:
They're designed for different purposes, HTML has lots of entities that XML doesn't. XML only has 5 escapes:
< represents "<"
> represents ">"
& represents "&"
' represents '
" represents "
While HTML has loads - think of © etc. These HTML codes aren't valid in XML unless you include a definition in the header. The numeric codes (like © for the copyright symbol) are valid in both.
Rudu
2010-09-17 13:59:51
+1, but you mean entities, not encodings.
Tim Pietzcker
2010-09-17 14:04:17
Oook!, good point
Rudu
2010-09-17 14:08:12
Ah look you added the JSP tag - I was wondering which language you were coming from.
Rudu
2010-09-17 14:29:22
A:
Assuming you're referring to commons StringEscapeUtils, escapeXml only deals with <>"'& while escapeHtml covers a richer set of characters.
Jon Freedman
2010-09-17 14:01:32
+1
A:
There's no such thing as escapeHtml in JSP. You normally use <c:out escapeXml="true"> (it by the way already defaults to true, so you can omit it) or fn:escapeXml() to escape HTML in JSP.
E.g.
<c:out value="Welcome, ${user.name}" />
<input name="foo" value="${fn:escapeXml(param.foo)}" />
It will escape them as XML entities which works perfectly fine in plain HTML as well. They are only literally called XML entities because HTML entities are invalid in XML.
See also:
BalusC
2010-09-17 14:09:02