I want to clean user input for help preventing XSS attacks and we don’t

Question

0

Asked: May 29, 20262026-05-29T08:59:52+00:00 2026-05-29T08:59:52+00:00

I want to clean user input for help preventing XSS attacks and we don’t

0

I want to clean user input for help preventing XSS attacks and we don’t necessarily care to have a HTML whitelist, as our users shouldn’t need to post any HTML / CSS.

Eyeing the alternatives out there, which would be better? Apache Commons Text’s StringEscapeUtils or JSoup Cleaner?

Update:

I went with JSoup after writing some unit tests for both it and Apache Commons Text.

I like how JSoup won’t mess with single quotation marks (i.e. "Alan’s mom" isn’t unchanged, whereas Apache Commons Text turns it into "Alan’s mom").

And the whitelist wasn’t a problem at all. It didn’t require any configuration, rather, they have some built-in options included which may come in handy if we choose to allow some subsets of HTML tags.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-29T08:59:54+00:00

Editorial Team

2026-05-29T08:59:54+00:00Added an answer on May 29, 2026 at 8:59 am

“Better”? I don’t think it matters. Cleaner has a Whitelist.none(), escape utils will escape everything.

It depends on how you want the “cleaned” input to render: do you want just the text nodes, or do you want the escaped HTML to show up?

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I want to clean user input for help preventing XSS attacks and we don’t

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply