escaping

I have the following flow: A user is presented with a form. He fills in the form fields, and submits to the controller, which persists this to the DB On another page, the Controller gets this record from the DB, and passes it to the view The view captures it as a javascript variable: var foo = '${user.bar}'; Now, if the user enters this string in the form: I have a quote - ' - very dangerous then the quote is passed through all the way to the DB and back, and results in a corrupt javascript statement: var foo = 'I have a quote - ' - very dangerous'; What is the best place to escape this

i need to run following command: ffmpeg -i input.jpg -vf scale="'if(gt(a,4/3),320,-1)':'if(gt(a,4/3),-1,240)'" output_320x240_boxed.png so i execute: cmd = exec.Command("ffmpeg", "-i", "input.jpg", "-vf", "scale=\"'if(gt(a,4/3),640,-1)':'if(gt(a,4/3),-1,300)'\"", "output_320x240_boxed.png") it fails with following error: Error when evaluating the expression 'if(gt(a,4/3),-1,300)"'. Maybe the expression for out_w:'"if(gt(a,4/3),640,-1)' or for out_h:'if(gt(a,4/3),-1,300)"' is self-referencing. Command works when executed in command line. Why does it happen and how can i escape those double

While the build of 1.8.7 I have seems to have a backported version of Shellwords::shellescape , I know that method is a 1.9 feature and definitely isn't supported in earlier versions of 1.8. Does anyone know where I can find, either in Gem form or just as a snippet, a robust standalone implementation of Bourne-shell command escaping for Ruby? You might as well just copy what you want from shellwords.rb in the trunk of Ruby's subversion repository (which is GPLv2 'd): def shellescape(str) # An empty argument will be skipped, so return empty quotes. return "''" if str.empty? str = str.dup #

Is there a general Scala utility method that converts a string to a string literal? The simple lambda function "\"" + _ + "\"" only works for strings without any special characters. For example, the string \" (length 2) should be converted to the string "\\\"" (length 6). Have a look at Apache Common's StringEscapeUtils class ( docs here ). escapeJava should get the job done. Have a look at this example to see it in action (in Java). Wrap the String with 3 quotes to represent it as is.. e.g. val str = """ \" """ // str : java.lang.String = \" 来源： https://stackoverflow.com/questions/17341079

escaping html is fine - it will remove < 's and > 's etc. ive run into a problem where i am outputting a filename inside a comment tag eg. <!-- ${filename} --> of course things can be bad if you dont escape, so it becomes: <!-- <c:out value="${filename}"/> --> the problem is that if the file has "--" in the name, all the html gets screwed, since youre not allowed to have <!-- -- --> . the standard html escape doesnt escape these dashes, and i was wondering if anyone is familiar with a simple / standard way to escape them. Definition of a HTML comment : A comment declaration starts with <!,

In my legacy project i can see the usage of escapeHtml before string is sent to browser. StringEscapeUtils.escapeHtml(stringBody); I know from api doc what escapeHtml does.here is the example given:- For example: "bread" & "butter" becomes: "bread" & "butter". My understanding is when we send the string after escaping html its the browser responsibility that converts back to original characters. Is that right? But i am not getting why and when it is required and what happens if we send the string body without escaping html? what is the cost if we dont do escapeHtml before sending it to browser