Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a string that users are able to enter on the internet, currently it is not protected against XSS attacks. I would like to be able to replace < and > symbols. Commonly known as ‘less than’, ‘more than’, ‘angle brackets’ etc.
I am sure this has been asked a million times but I can’t find a simple answer. I assume regex is the way forward but can’t work out how to pick these characters.
You really should use
StringEscapeUtils.escapeHtml()from Apache Commons Lang to instead of regex for this. E.g. all you need to do is:The best practice to protect against XSS is to escape all HTML entities and this method handles those cases for you. Otherwise you’ll be writing, testing and maintaining your own code to do what has already been done. See the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet for more details.