How to pass a string containing double quotes from a jsp to a servlet through URL using get method

I want to set a jsp parameter to an attribute value which may contain special symbols, then use a form GET submit to pass the parameter to a servlet controller. For example, the parameter is:

<input type="hidden" na开发者_运维技巧me="searchTerms" value="${sessionScope.combTerms}"></input>

I noticed if sessionScope.combTerms contains double quotes, eg. location:"LOC1", the controller will only receive the value of searchTerms to be location: in which the LOC1" disappeared. What should I do to make sure whatever string in sessionScope.combTerms is passed to the controller correctly? Thanks in advance.

When filling HTML input values, always use fn:escapeXml(). It not only sanitizes the value from HTML entities which might risk your HTML to malform (a quote denotes end of attribute value, that's why the remnant of your value got lost), but it will also save you from XSS injection attack risks at places where you're redisplaying user-controlled input.

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>

<input type="hidden" name="searchTerms" value="${fn:escapeXml(sessionScope.combTerms)}">

No need to URLEncode it. The webbrowser will already do it automagically. Try it yourself with an & in the value. You'll see that the webbrowser changes it %26. The webbrowser will also take care about parsing XML entities so that they end up correctly in the URL. I.e. you get " in server side, not ".

<% String st = str.replaceAll("\"", "&quot;");%> ,and use st instead of str.

You encode the value before placing it into the form and then decode it in the serlvet.

(You might have already seen this as %20 in URL parameters)

Here are the respective classes.

http://download-llnw.oracle.com/javase/1.5.0/docs/api/java/net/URLEncoder.html

http://download-llnw.oracle.com/javase/1.5.0/docs/api/java/net/URLDecoder.html