Im working in a project where we use the MVC pattern in a web application. Our views are JSP's. The question i was asking myself: Sometimes i can see JSP's where JSTL (c:out) is used for escaping Strings to HTML for preventing XSS attacks, sometimes the apache commons class/method StringEscapeUtils.escapeHtml4.
I had a look into the sources of this Apache class/method and could find a lot more characters which will be escaped compared to the use of c:out (as far as i could see only five characters will be escaped/replaced: >, <, ', '', &).
Is there any reason to favor the StringEscapeUtils static helper method instead of the JSTL c:out function in JSP's?
If not: my current understanding of how these both methods work is one method is escaping more characters than the other. But what is the reason for this different behavior? Why would i use one Method only in views and another method which is replacing more characters in for example Controllers? Or am i just totally confused/mistaken?
