Escape HTML in Jetty

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Escape HTML in Jetty

Alexander Farber
Good evening,

what would be a method in Jetty to escape HTML characters in a String?

Is StringUtil.sanitizeXmlString() suitable for that?

Thank you
Alex


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Escape HTML in Jetty

Greg Wilkins

Alex,

note that we don't really represent our libraries as good for content generation, as they are mostly hidden from webapps and only exposed to embedded usage.   But sanitizeXmlString should work for HTML escaping as it does < > " \ and &.   But you'd better check that there are not other characters that need to be encoded for safe HTML injection.

cheers


On 6 March 2018 at 06:01, Alexander Farber <[hidden email]> wrote:
Good evening,

what would be a method in Jetty to escape HTML characters in a String?

Is StringUtil.sanitizeXmlString() suitable for that?

Thank you
Alex


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Escape HTML in Jetty

John English
In reply to this post by Alexander Farber
On 05/03/2018 21:01, Alexander Farber wrote:
> Good evening,
>
> what would be a method in Jetty to escape HTML characters in a String?

OWASP has an easy-to-use Encoder class:
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

The OWASP XSS prevention cheat sheet is also worth a read:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

--
John English
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Escape HTML in Jetty

Joakim Erdfelt-8
Escaping text can be rather complicated.

Some things to think about (not exhaustive):

* Escaping HTML/XHTML/XML? 
* Do you want/need an HTML parser?
* Do you escape it all/some (eg: allow "<br>" but not the rest)?
* Do you escape Unicode? if so, to what target (form encoding? url encoding? other?)
* What is your target encoding? (UTF-8? UTF-16? ISO-8859-1? other?)
* What target are you escaping to? (html presentation? json? browser? xml attribute? yaml text? java manifests? etc...)
* Is your target a url? (you have different rules for escaping in hostname vs path vs query)



Joakim Erdfelt / [hidden email]

On Tue, Mar 6, 2018 at 10:19 AM, John English <[hidden email]> wrote:
On 05/03/2018 21:01, Alexander Farber wrote:
Good evening,

what would be a method in Jetty to escape HTML characters in a String?

OWASP has an easy-to-use Encoder class:
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

The OWASP XSS prevention cheat sheet is also worth a read:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

--
John English

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Escape HTML in Jetty

Alexander Farber
Thank you, I will switch to using OWASP

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users