You need to escape the HTML for security purposes, e.g. to prevent things like Cross Site Scripting attacks (XSS).
Search for Cross site scripting on Google/Stack Overflow for more details.
There will be several open source Servet Filters which will do this for you.
e.g. see here for an explanation
The usual practice is the other way around. We save whatever is in the textarea, and use escapeXML attribute of a <c:out> tag when showing it. This way everything CSS, HTML tags all will be treated as simple text.
Short answer: have a look at org.apache.commons.lang.StringEscapeUtils.escapeHtml().
More detailed answer: Escaping HTML is the job of the presentation code, not the database code. What if for some reason, you want to display you data at some point in a non-web environment, such as a classic GUI? You will have to unescape the whole thing, otherwise it will display total garbage.
Just save the data as it is and make sure you escape everything you get from the user right before you display it (ok, maybe not numbers stored as numbers, but you get the idea).
If you're using AJAX, you can take this even further and only escape your strings in JavaScript (or use innerText).
Hi,
You can also use JSTL function: fn:escapeXml().
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
...
<input type="hidden" name="htmlCode" value="${fn:escapeXml(htmlCode)}"/>
You can also use JSTL core library.
c:out has escapeXml on as default.
Examples:
<c:out value="${tp.title}" />
<c:out value="${product.listPrice}" escapeXml="false" /> //if you want turn off
This approach let you do escaping in presentation layer as other people recommended.