What is the difference between escapeXml and escapeHtml?

Question

I would like to escape characters in JSP pages. Which is more suitable, escapeXml or escapeHtml?

Answer 1

They're designed for different purposes, HTML has lots of entities that XML doesn't. XML only has 5 escapes:

&lt; represents "<"
&gt; represents ">"
&amp; represents "&"
&apos; represents '
&quot; represents "

While HTML has loads - think of   © etc. These HTML codes aren't valid in XML unless you include a definition in the header. The numeric codes (like © for the copyright symbol) are valid in both.

Answer 2

There's no such thing as escapeHtml in JSP. You normally use <c:out escapeXml="true"> (it by the way already defaults to true, so you can omit it) or fn:escapeXml() to escape HTML in JSP.

E.g.

<c:out value="Welcome, ${user.name}" />
<input name="foo" value="${fn:escapeXml(param.foo)}" />

It will escape them as XML entities which works perfectly fine in plain HTML as well. They are only literally called XML entities because HTML entities are invalid in XML.

See also:

• Java 5 HTML escaping To Prevent XSS
• Escaping html in Java

Answer 3

Assuming you're referring to commons StringEscapeUtils, escapeXml only deals with <>"'& while escapeHtml covers a richer set of characters.

Answer 4

Since you are sending HTML back to the consumer I would go with escapeHtml.

escapeXml only supports escaping the five basic XML entities (gt, lt, quot, amp, apos) whereas escapeHtml supports escaping all known HTML 4.0 entities.