Course – LS – All

Get started with Spring and Spring Boot, through the Learn Spring course:


1. Overview

In the vast landscape of web development, the handling of HTML symbols plays a crucial role in safeguarding against security vulnerabilities and ensuring the proper rendering of content on web pages.

In this tutorial, we’ll explore different ways to escape HTML symbols in Java. By doing so, we can protect our applications from cross-site scripting (XSS) attacks and prevent unintended markup interpretation.

2. Understanding HTML Symbol Escaping

Before diving into the solutions, it’s essential to grasp the concept of HTML symbol escaping. HTML symbols, such as <, >, &, etc., carry specific meanings in the context of HTML markup. However, when these symbols appear within user-generated content or dynamic data, it’s imperative to escape them properly. Failing to do so can lead to security breaches and potential rendering issues on web pages.

Suppose we have a Java application that takes user input and displays it on a web page. The user provides the following input:

String userInput = "<script>alert('Hello, Baeldung!');</script>";

If we directly display this user input on the web page without escaping the HTML symbols, it will be rendered as HTML tags and could execute JavaScript code, leading to a potential XSS attack.

To prevent this, we need to escape the HTML symbols before displaying the user input. After escaping the HTML symbols, the string should be converted to:

String escapedInput = "&lt;script&gt;alert('Hello, Baeldung!');&lt;/script&gt;";

As we can see, the < and > symbols are replaced with &lt; and &gt; respectively, ensuring they are displayed as plain text on the web page and not interpreted as HTML tags.

3. Solution

Let’s explore multiple approaches to escape HTML symbols in Java:

3.1. Using Apache Commons Text

Apache Commons Text library provides a reliable utility class, StringEscapeUtils, that offers the escapeHtml4() method for escaping HTML symbols:

String input = "<div>Escape & test</div>";
String escapedOutput = StringEscapeUtils.escapeHtml4(input);

3.2. Using Google Guava

Google Guava, a powerful open-source library, also provides a solution to escape HTML symbols with HtmlEscapers class:

String escapedOutput = HtmlEscapers.htmlEscaper().escape(input);

3.3. Using HtmlUtils Class of Spring Framework

If we’re working with the Spring Framework, Spring’s HtmlUtils class offers a convenient method for escaping HTML symbols:

String escapedOutput = HtmlUtils.htmlEscape(input);

4. Conclusion

In this tutorial, we’ve explored different ways to escape HTML symbols in Java. Escaping HTML symbols is crucial to secure web applications against XSS attacks and to ensure the proper rendering of dynamic content.

The example code from this article can be found over on GitHub.

Course – LS – All

Get started with Spring and Spring Boot, through the Learn Spring course:

res – REST with Spring (eBook) (everywhere)
Inline Feedbacks
View all comments
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.