I am of course familiar with the java.net.URLEncoder and java.net.URLDecoder classes. However, I only need HTML-style encoding. (I don't want ' ' replaced with '+', etc). I am not aware of any JDK built in class that will do just HTML encoding. Is there one? I am aware of other choices (for example, Jakarta Commons Lang 'StringEscapeUtils', but I don't want to add another external dependency to the project where I need this.
I'm hoping that something has been added to a recent JDK (aka 5 or 6) that will do this that I don't know about. Otherwise I have to roll my own.
There isn't a JDK built in class to do this, but it is part of the Jakarta commons-lang library.
String escaped = StringEscapeUtils.escapeHtml3(stringToEscape);
String escaped = StringEscapeUtils.escapeHtml4(stringToEscape);
Check out the JavaDoc
Adding the dependency is usually as simple as dropping the jar somewhere, and commons-lang has so many useful utilities that it is often worthwhile having it on board.
A simple way seem to be this one:
public static String encodeHTML(String s)
{
StringBuffer out = new StringBuffer();
for(int i=0; i<s.length(); i++)
{
char c = s.charAt(i);
if(c > 127 || c=='"' || c=='<' || c=='>')
{
out.append("&#"+(int)c+";");
}
else
{
out.append(c);
}
}
return out.toString();
}
Source: http://forums.thedailywtf.com/forums/p/2806/72054.aspx#72054
Apparently, the answer is, "No." This was unfortunately a case where I had to do something and couldn't add a new external dependency for it -- in the short term. I agree with everyone that using Commons Lang is the best long-term solution. This is what I will go with once I can add a new library to the project.
It's a shame that something of such common use is not in the Java API.
I've found that all existing solutions (libraries) I've reviewed suffered from one or several of the below issues:
- They don't tell you in the Javadoc exactly what they replace.
- They escape too much ... which makes the HTML much harder to read.
- They do not document when the returned value is safe to use (safe to use for an HTML entity?, for an HTML attributute?, etc)
- They are not optimized for speed.
- They do not have a feature for avoiding double escaping (do not escape what is already escaped)
- They replace single quote with
' (wrong!)
On top of this I also had the problem of not being able to bring in an external library, at least not without a certain amount of red tape.
So, I rolled my own. Guilty.
Below is what it looks like but the latest version can always be found in this gist.
/**
* HTML string utilities
*/
public class SafeHtml {
/**
* Escapes a string for use in an HTML entity or HTML attribute.
*
* <p>
* The returned value is always suitable for an HTML <i>entity</i> but only
* suitable for an HTML <i>attribute</i> if the attribute value is inside
* double quotes. In other words the method is not safe for use with HTML
* attributes unless you put the value in double quotes like this:
* <pre>
* <div title="value-from-this-method" > ....
* </pre>
* Putting attribute values in double quotes is always a good idea anyway.
*
* <p>The following characters will be escaped:
* <ul>
* <li>{@code &} (ampersand) -- replaced with {@code &}</li>
* <li>{@code <} (less than) -- replaced with {@code <}</li>
* <li>{@code >} (greater than) -- replaced with {@code >}</li>
* <li>{@code "} (double quote) -- replaced with {@code "}</li>
* <li>{@code '} (single quote) -- replaced with {@code '}</li>
* <li>{@code /} (forward slash) -- replaced with {@code /}</li>
* </ul>
* It is not necessary to escape more than this as long as the HTML page
* <a href="https://en.wikipedia.org/wiki/Character_encodings_in_HTML">uses
* a Unicode encoding</a>. (Most web pages uses UTF-8 which is also the HTML5
* recommendation.). Escaping more than this makes the HTML much less readable.
*
* @param s the string to make HTML safe
* @param avoidDoubleEscape avoid double escaping, which means for example not
* escaping {@code <} one more time. Any sequence {@code &....;}, as explained in
* {@link #isHtmlCharEntityRef(java.lang.String, int) isHtmlCharEntityRef()}, will not be escaped.
*
* @return a HTML safe string
*/
public static String htmlEscape(String s, boolean avoidDoubleEscape) {
if (s == null || s.length() == 0) {
return s;
}
StringBuilder sb = new StringBuilder(s.length()+16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case '&':
// Avoid double escaping if already escaped
if (avoidDoubleEscape && (isHtmlCharEntityRef(s, i))) {
sb.append('&');
} else {
sb.append("&");
}
break;
case '<':
sb.append("<");
break;
case '>':
sb.append(">");
break;
case '"':
sb.append(""");
break;
case '\'':
sb.append("'");
break;
case '/':
sb.append("/");
break;
default:
sb.append(c);
}
}
return sb.toString();
}
/**
* Checks if the value at {@code index} is a HTML entity reference. This
* means any of :
* <ul>
* <li>{@code &} or {@code <} or {@code >} or {@code "} </li>
* <li>A value of the form {@code &#dddd;} where {@code dddd} is a decimal value</li>
* <li>A value of the form {@code &#xhhhh;} where {@code hhhh} is a hexadecimal value</li>
* </ul>
* @param str the string to test for HTML entity reference.
* @param index position of the {@code '&'} in {@code str}
* @return
*/
public static boolean isHtmlCharEntityRef(String str, int index) {
if (str.charAt(index) != '&') {
return false;
}
int indexOfSemicolon = str.indexOf(';', index + 1);
if (indexOfSemicolon == -1) { // is there a semicolon sometime later ?
return false;
}
if (!(indexOfSemicolon > (index + 2))) { // is the string actually long enough
return false;
}
if (followingCharsAre(str, index, "amp;")
|| followingCharsAre(str, index, "lt;")
|| followingCharsAre(str, index, "gt;")
|| followingCharsAre(str, index, "quot;")) {
return true;
}
if (str.charAt(index+1) == '#') {
if (str.charAt(index+2) == 'x' || str.charAt(index+2) == 'X') {
// It's presumably a hex value
if (str.charAt(index+3) == ';') {
return false;
}
for (int i = index+3; i < indexOfSemicolon; i++) {
char c = str.charAt(i);
if (c >= 48 && c <=57) { // 0 -- 9
continue;
}
if (c >= 65 && c <=70) { // A -- F
continue;
}
if (c >= 97 && c <=102) { // a -- f
continue;
}
return false;
}
return true; // yes, the value is a hex string
} else {
// It's presumably a decimal value
for (int i = index+2; i < indexOfSemicolon; i++) {
char c = str.charAt(i);
if (c >= 48 && c <=57) { // 0 -- 9
continue;
}
return false;
}
return true; // yes, the value is decimal
}
}
return false;
}
/**
* Tests if the chars following position <code>startIndex</code> in string
* <code>str</code> are that of <code>nextChars</code>.
*
* <p>Optimized for speed. Otherwise this method would be exactly equal to
* {@code (str.indexOf(nextChars, startIndex+1) == (startIndex+1))}.
*
* @param str
* @param startIndex
* @param nextChars
* @return
*/
private static boolean followingCharsAre(String str, int startIndex, String nextChars) {
if ((startIndex + nextChars.length()) < str.length()) {
for(int i = 0; i < nextChars.length(); i++) {
if ( nextChars.charAt(i) != str.charAt(startIndex+i+1)) {
return false;
}
}
return true;
} else {
return false;
}
}
}
TODO: Preserve consecutive whitespace.
Please don't roll your own. Use Jakarta Commons Lang. It is tested and proven to work. Don't write code until you have to. "Not invented here" or "Not another dependency" is not a very good base for deciding what to choose / write.
No. I would recommend using the StringEscapeUtils you mentioned, or for example JTidy (http://jtidy.sourceforge.net/multiproject/jtidyservlet/apidocs/org/w3c/tidy/servlet/util/HTMLEncode.html).
I will suggest use org.springframework.web.util.HtmlUtils.htmlEscape(String input)
may be this will help.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 祖国的老花朵 的文章《Is there a JDK class to do HTML encoding (but not 》','https://www.manongdao.com/article-91941.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}