Home/ Questions/Q 569995
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T13:21:15+00:00

How do I make sure I don’t escape something twice? I’ve heard that its

  • 0

How do I make sure I don’t escape something twice?

I’ve heard that its good practice to escape values as you receive them from a form, and also escape when you output. That way you have two chances to catch something.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I presume that you’re using JSP.

    Just escape during display only. There for the JSTL <c:out> tag is perfectly suitable. It escapes HTML entities by default. Use it to display every user-controlled input, such as request URL, request headers and request parameters.

    E.g.

    <input type="text" name="foo" value="<c:out value="${param.foo}" />">

    Escaping during input is not needed. XSS doesn’t harm in raw Java code nor in SQL databases. On the other hand, you would also rather save data unmodified in DB so that you can still see what the user actually entered, so that you can if necessary do social actions on mailicious users.

    If you’d like to know what to escape during input, it would be SQL injection. In such case just use PreparedStatement instead of regular Statement whenever you want to save any user-controlled input in the database.

    E.g.

    create = connection.prepareStatement("INSERT INTO user (username, password) VALUES (?, MD5(?))");
create.setString(1, username);
create.setString(2, password);
create.executeUpdate();
    • 0