OWASP Java Encoder Project 1.0 java-encoder https://www.owasp.org/index.php/OWASP_Java_Encoder_Project Encodes data for an XML CDATA section. On the chance that the input contains a terminating "]]>", it will be replaced by "]]>]]<![CDATA[>". As with all XML contexts, characters that are invalid according to the XML specification will be replaced by a space character. Caller must provide the CDATA section boundaries. forCDATA forCDATA org.owasp.encoder.tag.ForCDATATag empty The value to be written out value true true java.lang.String This method encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forHtmlContent forHtmlContent org.owasp.encoder.tag.ForHtmlContentTag empty value to be written out value true true java.lang.String Encodes for XML and XHTML attribute content. forXmlAttribute forXmlAttribute org.owasp.encoder.tag.ForXmlAttributeTag empty value to be written out value true true java.lang.String Encodes for XML and XHTML. forXml forXml org.owasp.encoder.tag.ForXmlTag empty value to be written out value true true java.lang.String Encodes for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source. The caller MUST provide the surrounding quotation characters for the string. Since this performs additional encoding so it can work in all of the JavaScript contexts listed, it may be slightly less efficient then using one of the methods targetted to a specific JavaScript context: forJavaScriptAttribute, forJavaScriptBlock, or forJavaScriptSource. Unless you are interested in saving a few bytes of output or are writing a framework on top of this library, it is recommend that you use this method over the others. forJavaScript forJavaScript org.owasp.encoder.tag.ForJavaScriptTag empty value to be written out value true true java.lang.String Encodes for unquoted HTML attribute values. forHtml(String) or forHtmlAttribute(String) should usually be preferred over this method as quoted attributes are XHTML compliant. forHtmlUnquotedAttribute forHtmlUnquotedAttribute org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag empty value to be written out value true true java.lang.String Performs percent-encoding of a URL according to RFC 3986. The provided URL is assumed to a valid URL. This method does not do any checking on the quality or safety of the URL itself. In many applications it may be better to use java.net.URI instead. Note: this is a particularly dangerous context to put untrusted content in, as for example a "javascript:" URL provided by a malicious user would be "properly" escaped, and still execute. forUri forUri org.owasp.encoder.tag.ForUriTag empty value to be written out value true true java.lang.String Encodes for CSS URL contexts. The context must be surrounded by "url()". It is safe for use in both style blocks and attributes in HTML. Note: this does not do any checking on the quality or safety of the URL itself. The caller should insure that the URL is safe for embedding (e.g. input validation) by other means. forCssUrl forCssUrl org.owasp.encoder.tag.ForCssUrlTag empty value to be written out value true true java.lang.String Encodes for HTML text attributes. forHtmlAttribute forHtmlAttribute org.owasp.encoder.tag.ForHtmlAttributeTag empty value to be written out value true true java.lang.String Encodes for (X)HTML text content and text attributes. forHtml forHtml org.owasp.encoder.tag.ForHtmlTag empty value to be written out value true true java.lang.String Encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forXmlContent forXmlContent org.owasp.encoder.tag.ForXmlContentTag empty value to be written out value true true java.lang.String Performs percent-encoding for a component of a URI, such as a query parameter name or value, path or query-string. In particular this method insures that special characters in the component do not get interpreted as part of another component. forUriComponent forUriComponent org.owasp.encoder.tag.ForUriComponentTag empty value to be written out value true true java.lang.String Encodes for CSS strings. The context must be surrounded by quotation characters. It is safe for use in both style blocks and attributes in HTML. forCssString forCssString org.owasp.encoder.tag.ForCssStringTag empty value to be written out value true true java.lang.String Encodes for (X)HTML text content and text attributes. forHtml forHtml org.owasp.encoder.Encode java.lang.String forHtml(java.lang.String) forHtml(unsafeData) This method encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forHtmlContent forHtmlContent org.owasp.encoder.Encode java.lang.String forHtmlContent(java.lang.String) forHtmlContent(unsafeData) Encodes for HTML text attributes. forHtmlAttribute org.owasp.encoder.Encode java.lang.String forHtmlAttribute(java.lang.String) forHtmlAttribute(unsafeData) Encodes for unquoted HTML attribute values. forHtml(String) or forHtmlAttribute(String) should usually be preferred over this method as quoted attributes are XHTML compliant. forHtmlUnquotedAttribute forHtmlUnquotedAttribute org.owasp.encoder.Encode java.lang.String forHtmlUnquotedAttribute(java.lang.String) forHtmlUnquotedAttribute(unsafeData) Encodes for CSS strings. The context must be surrounded by quotation characters. It is safe for use in both style blocks and attributes in HTML. forCssString forCssString org.owasp.encoder.Encode java.lang.String forCssString(java.lang.String) forCssString(unsafeData) Encodes for CSS URL contexts. The context must be surrounded by "url()". It is safe for use in both style blocks and attributes in HTML. Note: this does not do any checking on the quality or safety of the URL itself. The caller should insure that the URL is safe for embedding (e.g. input validation) by other means. forCssUrl forCssUrl org.owasp.encoder.Encode java.lang.String forCssUrl(java.lang.String) forCssUrl(unsafeData) Performs percent-encoding of a URL according to RFC 3986. The provided URL is assumed to a valid URL. This method does not do any checking on the quality or safety of the URL itself. In many applications it may be better to use java.net.URI instead. Note: this is a particularly dangerous context to put untrusted content in, as for example a "javascript:" URL provided by a malicious user would be "properly" escaped, and still execute. forUri forUri org.owasp.encoder.Encode java.lang.String forUri(java.lang.String) forUri(unsafeData) Performs percent-encoding for a component of a URI, such as a query parameter name or value, path or query-string. In particular this method insures that special characters in the component do not get interpreted as part of another component. forUriComponent forUriComponent org.owasp.encoder.Encode java.lang.String forUriComponent(java.lang.String) forUriComponent(unsafeData) Encodes for XML and XHTML. forXml forXml org.owasp.encoder.Encode java.lang.String forXml(java.lang.String) forXml(unsafeData) Encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forXmlContent forXmlContent org.owasp.encoder.Encode java.lang.String forXmlContent(java.lang.String) forXmlContent(unsafeData) Encodes for XML and XHTML attribute content. forXmlAttribute forXmlAttribute org.owasp.encoder.Encode java.lang.String forXmlAttribute(java.lang.String) forXmlAttribute(unsafeData) Encodes data for an XML CDATA section. On the chance that the input contains a terminating "]]>", it will be replaced by "]]>]]<![CDATA[>". As with all XML contexts, characters that are invalid according to the XML specification will be replaced by a space character. Caller must provide the CDATA section boundaries. forCDATA forCDATA org.owasp.encoder.Encode java.lang.String forCDATA(java.lang.String) forCDATA(unsafeData) Encodes for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source. The caller MUST provide the surrounding quotation characters for the string. forJavaScript forJavaScript org.owasp.encoder.Encode java.lang.String forJavaScript(java.lang.String) forJavaScript(unsafeData)