Java Regex, less than and more than sign

I have a string that users are able to enter on the internet, currently it is not protected against XSS attacks. I would like to be able to replace < and > symbols. Commonly known as 'less than', 'more than', 'angle brackets' etc.

I am sure this has been asked a million times but I can't find a simple answer. I assume regex is the way for开发者_运维问答ward but can't work out how to pick these characters.

You really should use StringEscapeUtils.escapeHtml() from Apache Commons Lang to instead of regex for this. E.g. all you need to do is:

String escaped = StringEscapeUtils.escapeHtml(input);

The best practice to protect against XSS is to escape all HTML entities and this method handles those cases for you. Otherwise you'll be writing, testing and maintaining your own code to do what has already been done. See the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet for more details.

Java regex shouldn't require any special treatment for angle brackets. This should work fine:

myString.replace("<", "less than").replace(">", "greater than");

Hope that helps.

-tjw

As an alternative to regex, you can use a utility class like the Apache Commons StringEscapeUtils class to encode your HTML strings when they are posted back to the server and before storing them in the databse or re-sending them as output.

Since you tagged this jsp, I'd like to add that the normal approach to escape HTML/XML in JSP is using the JSTL <c:out> tag or fn:escapeXml() function.

E.g.

<c:out value="${user.name}" />
<input type="text" name="name" value="${fn:escapeXml(user.name)}" />

No need for Apache Commons Lang. Plus, escaping should really be done in the view side, not in the model/controller side.

See also:

• XSS prevention in JSP