Escaping HTML characters in JSP without special library

Question

I'm a new programmer at a software house, and let's just say I can't make too much modification that includes a major changes, for example like adding library. In the current project, we're using JSP and Servlet, and some other advanced GUI that I never knew (they said it's a derivative of Eclipse, called Enfinity). The Enfinity also hides the libraries under obscure locations, and it's very different than in Java. So I don't think I will able to understand about the library location too, moreover adding some new library.

The problem here, I need to escape HTML characters like &, <, >, ", and ', but when I search solution on the internet, usually the solution involves using JSTL ( c:out or ${fn:escapeXML} ) or importing a library (Spring's HTMLEscape, or Apache's StringEscapeUtils). JQuery, on the other hand, is imported, but sadly, not related to solution. But the problem is JSTL is not part of the library readily imported into the project. Java, JSP, and Servlet are kinda new to me, as I didn't get Java at all in my college, so I don't know either what library is standard in JSP (already present, without I have to add it physically). I don't even know whether the Apache's StringEscapeUtils is present or not. Do you have any suggestion / codes on how I should escape the HTML characters under my circumstances? Thank you very much.

Answer 1

If your target platform is really Enfinity - as you are stating in your questions and in the tags - you should be using the Enfinity constructs even though this is not completely what you know from JSP. Please allow me to reopen this old thread and try to help you with that.

Enfinity got an own "templating language" called ISML. In the end ISML is precompiled to JSP. You can find a documentation with any installation of the Enfinity application server (a PDF called enfsuite_dev_programming). You should ask your project manager or build engineer if you don't have it available.

On the other hand I read from your statement that you possibly have the Enfinity Studio available (which is the IDE of Enfinity - a derivate of Eclipse. You should be able to access the developer guide through Enfinity Studios Help Menu. This menu may have some errors in some versions of the Studio unfortunately. However, you can get there through Window > Show View > Other > Help. On bottom of the help window is a "Content" link that will take you to the overview. The developer guide is under the table of contents link Enfinity Suite Application Programming Guide.

However you get to the guide: in the appendix you find a section "Reference > ISML Tags / ISML Functions / ISML Modules". Browsing through it you will find the function:

<isprint value="#value#" encoding="on|off">

Encoding is "on" by default and this statement will do exactly what you need: it will encode all HTML special characters in #value#. The special here is that the key value matches to an object in the so called Pipeline Dictionary which is a construct storing objects coming out of the Enfinity business logic workflow layer (so called pipelines).

This pipeline dictionary can be manipulated in JSP using:

Map<String, Object> pdict = getPipelineDictionary();

The dictionary is a standard java Map and can be manipulated using the known operations. However, the preferred way would be using pipelines or at least the respective ISML tag

<isset name="name" value="#value#" scope="request|session">

A full example for usage with JSP/ISML would be:

<%
String myString = "<b>Test</b>";
getPipelineDictionary().put("myDictKey", myString);
%>
<isprint value="#myDictKey#">

Answer 2

You can import org.apache.commons.lang.StringEscapeUtils and add its jar file. That are not by default present in jsp/servlets. It will provide you facility to escape characters from html, mysql, xml etc. Also you can make your own method to check for the character sequence and then use it as a escape function to escape data you want.