Module jakarta.mvc

Interface Encoders


  • public interface Encoders
    Interface that provides encoders to escape code in JavaScript, HTML, etc. Encoding data is a way to prevent XSS attacks by ensuring it is not misinterpreted as running code. Implementations of this interface are injectable and accessible from EL via the MvcContext class as mvc.encoders.
    Since:
    1.0
    Author:
    Santiago Pericas-Geertsen
    See Also:
    OWASP Encoder Project
    • Method Detail

      • js

        String js​(String s)

        Encoding for JavaScript code in attributes or script blocks. It MUST support encoding of (at least) the following characters:

        Encoding Table
        Input CharacterEncoding
        U+0008 (BS)\b
        U+0009 (HT)\t
        U+000A (LF)\n
        U+000C (FF)\f
        U+000D (CR)\r
        /\/
        \\\
        "\x22
        &\x26
        '\x27
        U+0000-U001F\x##
        Parameters:
        s - string to encode.
        Returns:
        encoded string.
      • html

        String html​(String s)

        Encoding for HTML code in attributes or content. It MUST support encoding of (at least) the following characters:

        Encoding Table
        Input CharacterEncoding
        &&
        <&lt;
        >&gt;
        "&#34;
        '&#39;
        Parameters:
        s - string to encode.
        Returns:
        encoded string.