EN
Java - how to escape html special characters?
5
points
Using Java it is possible to escape HTML special characters in the following ways.
When we use Spring Framework we can use:
// import org.springframework.web.util.HtmlUtils
String html = "<p>Some text here...</p>";
String escaped1Html = HtmlUtils.htmlEscape(html); // "ISO-8859-1" by default
String escaped2Html = HtmlUtils.htmlEscape(html, "UTF-8");
Notes:
- more details in official documentation,
- see also full working example here.
In another case we can try to use some alternative custom versions:
Custom function example
1. String
replaceAll()
based method
HTMLUtils.java
file:
package com.dirask.examples;
public class HTMLUtils {
private static final String[][] CHARACTERS = {
{ "&", "&" }, // keep this rule at first position
{ "<", "<" },
{ ">", ">" },
{ "\"", """ },
{ "'", "'" } // or ' or ' (' is not supported by IE8, ' is not defined in HTML 4)
};
public static String escapeHtml(String html) {
String result = html;
for(String[] entry : CHARACTERS) {
result = result.replaceAll(entry[0], entry[1]);
}
return result;
}
}
Program.java
file:
package com.dirask.examples;
import java.io.UnsupportedEncodingException;
public class Program {
public static void main(String[] args) {
String html = "<div class=\"item\">Hi! How are you?</div>";
String escapedHtml = HTMLUtils.escapeHtml(html);
System.out.println(escapedHtml);
}
}
Output:
<div class="item">Hi! How are you?</div>
2. Optimal solution
In this section, the presented solution uses a switch to improve function performance.
package com.dirask.examples;
public class HtmlUtils {
public static String escapeHtml(String html) {
int length = html.length();
int capacity = (int) Math.round(1.3 * length);
StringBuilder builder = new StringBuilder(capacity);
for (int i = 0; i < length; ++i) {
char value = html.charAt(i);
// it is important to keep rules in the proper order
switch (value) {
case '&':
builder.append("&");
break;
case '<':
builder.append("<");
break;
case '>':
builder.append(">");
break;
case '"':
builder.append(""");
break;
case '\'':
builder.append("'"); // or ' or ' (' is not supported by IE8, ' is not defined in HTML 4)
break;
default:
builder.append(value);
break;
}
}
return builder.toString();
}
}