The OWASP Java Encoder Project is a collection of high-performance low-overhead contextual encoders, that when utilized correctly, is an effective tool in preventing Web Application security vulnerabilities such as Cross-Site Scripting (XSS).

Please see the OWASP XSS Prevention Cheat Sheet for more information on preventing XSS.

Usage

In addition to the usage guidance below, more examples can be found on the OWASP Java Encoder Project Wiki.

The JARs can be found in Maven Central.

<dependency>
    <groupId>org.owasp.encoder</groupId>
    <artifactId>encoder</artifactId>
    <version>1.2.1</version>
</dependency>

Utilize the encoder:

import org.owasp.encoder.Encode;

//...

PrintWriter out = ....;
out.println("<textarea>" + Encode.forHtml(userData) + "</textarea>");

JSP Usage

The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that includes tags and a set of JSP EL functions:

<dependency>
    <groupId>org.owasp.encoder</groupId>
    <artifactId>encoder-jsp</artifactId>
    <version>1.2.1</version>
</dependency>
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>

<%-- ... --%>

<p>Dynamic data via EL: ${e:forHtml(param.value)}</p>
<p>Dynamic data via tag: <e:forHtml value="${param.value}" /></p>

Back to top