Is it necessary to use — and – in XHTML or HTML5?

The W3C released an official response about when to use and when not to use character escapes which you can find here. As they are also the group that is in charge of the HTML specification, I think it’s best to follow their advice. From the section “When to Use Escapes” Syntax characters. There are …

Read more

HTML-encoding lost when attribute read from input field

EDIT: This answer was posted a long ago, and the htmlDecode function introduced a XSS vulnerability. It has been modified changing the temporary element from a div to a textarea reducing the XSS chance. But nowadays, I would encourage you to use the DOMParser API as suggested in other anwswer. I use these functions: function …

Read more

How do I prevent people from doing XSS in Spring MVC?

In Spring you can escape the html from JSP pages generated by <form> tags. This closes off a lot avenues for XSS attacks, and can be done automatically in three ways: For the entire application in the web.xml file: <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> For all forms on a given page in the file itself: <spring:htmlEscape …

Read more

HTML-encoding lost when attribute read from input field

EDIT: This answer was posted a long ago, and the htmlDecode function introduced a XSS vulnerability. It has been modified changing the temporary element from a div to a textarea reducing the XSS chance. But nowadays, I would encourage you to use the DOMParser API as suggested in other anwswer. I use these functions: function …

Read more