HTML Entities Encoder in JSP

Question

I want to use an HTML Entity Encoder for my HTML <div>${data}</div> I was using ESAPI library ESAPI.encoder().encodeForHTML But I am not sure if it is correct, because for instance, the result of encoding test/a/2 using ESAPI.encoder().encodeForHTML is test/a/2 (that's what I see in my JSP using :

<div><esapi:encodeForHTML>${deviceKey}</esapi:encodeForHTML></div>

but on this site http://www.web2generators.com/html-based-tools/online-html-entities-encoder-and-decoder the result is test/a/2 (?!) Why ?

Both are "correct". Both are equivalent HTML representations of the same string. It's *unnecessary* to encode `/` to `/` here, but it's not incorrect either. — deceze, Jul 04 '16 at 09:14
so there is ESAPI encoder equivalent to the other one ? I don't want to encode everything — María Belén Esteban Menéndez, Jul 04 '16 at 09:15
Apart from your own aesthetic sensibilities, is there any reason to not want to encode everything? Do you have to use ESAPI for some reason or another? Then just use its HTML encoder, I guess?! You could of course bend over backwards and try alternative ways, but again, what you have is already perfectly "correct". — deceze, Jul 04 '16 at 09:19
well, If I guess the final user would better understand test/a/2, rather than test/a/2 — María Belén Esteban Menéndez, Jul 04 '16 at 09:20
So you're encoding to HTML entities and then apparently use a template which itself encodes to HTML entities?! Then your problem is that you're *double encoding*. If your template already does HTML encoding for you, you don't need to do it with ESAPI as well. — deceze, Jul 04 '16 at 09:24

score 0 · Answer 1 · answered Jul 15 '16 at 02:34

ESAPI is almost unsupported due to a lack of interest in maintaining the platform; we'd love to have more active developers.

If you're doing active Ajax replacing of divs, you should look into safe templating and SCE in AngularJS as a replacement for ESAPI.

https://docs.angularjs.org/api/ngSanitize/service/$sanitize https://docs.angularjs.org/api/ng/service/$sce

HTML Entities Encoder in JSP

1 Answers1