When i need to escape Html string?

Question

In my legacy project i can see the usage of escapeHtml before string is sent to browser.

StringEscapeUtils.escapeHtml(stringBody);

I know from

Answer 1

From my experience, all of the strings should be escaped from Html before being displayed on the page. Our current project is about managing all the Organization Units from the Active Directory, and these units could contain any special character (including Html Character). When displaying on the page, you could end up with the following code to show a record called User

 <%=request.getAttribute("Name");%> 

after the page is rendered, it will become

 User  

Which actually appears as User hyperlink on the page.

However, if you escape the Html value before sending to the page

request.setAttribute("Name", StringEscapeUtils.escapeHtml("User "));

after the page is rendered, it will become

  User <Marketing> 

which appear correctly on the JSP page

Shortly, you use escaping Html characters to prevent the special input. If the input contains the Html Character, your page will appear wrong during rendering