You are using the wrong encoding for the context. You are in regular attribute context, so you should use encodeForHTMLAttribute
.
Btw, for Java there is a templating language that has context-sensitive autoescaping https://code.google.com/p/hapax2/ so you don't have to
- Manually determine what context you are in
- Choose the correct encoding manually for that context
- Write the code to escape manually, which in this case is a mouthful and makes the template harder to read
Which is error-prone and comparable to escaping SQL manually except much harder.