Class StringEscapeUtils
public class StringEscapeUtils extends Object
Escapes and unescapes String
s for Java, Java Script, HTML and XML.
#ThreadSafe#
This code has been adapted from Apache Commons Lang 3.5.
- Since:
- 1.0
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
StringEscapeUtils.Builder
Convenience wrapper forStringBuilder
providing escape methods. -
Field Summary
Fields Modifier and Type Field Description static CharSequenceTranslator
ESCAPE_CSV
Translator object for escaping individual Comma Separated Values.static CharSequenceTranslator
ESCAPE_ECMASCRIPT
Translator object for escaping EcmaScript/JavaScript.static CharSequenceTranslator
ESCAPE_HTML3
Translator object for escaping HTML version 3.0.static CharSequenceTranslator
ESCAPE_HTML4
Translator object for escaping HTML version 4.0.static CharSequenceTranslator
ESCAPE_JAVA
Translator object for escaping Java.static CharSequenceTranslator
ESCAPE_JSON
Translator object for escaping Json.static CharSequenceTranslator
ESCAPE_XML10
Translator object for escaping XML 1.0.static CharSequenceTranslator
ESCAPE_XML11
Translator object for escaping XML 1.1.static CharSequenceTranslator
ESCAPE_XSI
Translator object for escaping Shell command language.static CharSequenceTranslator
UNESCAPE_CSV
Translator object for unescaping escaped Comma Separated Value entries.static CharSequenceTranslator
UNESCAPE_ECMASCRIPT
Translator object for unescaping escaped EcmaScript.static CharSequenceTranslator
UNESCAPE_HTML3
Translator object for unescaping escaped HTML 3.0.static CharSequenceTranslator
UNESCAPE_HTML4
Translator object for unescaping escaped HTML 4.0.static CharSequenceTranslator
UNESCAPE_JAVA
Translator object for unescaping escaped Java.static CharSequenceTranslator
UNESCAPE_JSON
Translator object for unescaping escaped Json.static CharSequenceTranslator
UNESCAPE_XML
Translator object for unescaping escaped XML.static CharSequenceTranslator
UNESCAPE_XSI
Translator object for unescaping escaped XSI Value entries. -
Constructor Summary
Constructors Constructor Description StringEscapeUtils()
StringEscapeUtils
instances should NOT be constructed in standard programming. -
Method Summary
Modifier and Type Method Description static StringEscapeUtils.Builder
builder(CharSequenceTranslator translator)
Get aStringEscapeUtils.Builder
.static String
escapeCsv(String input)
Returns aString
value for a CSV column enclosed in double quotes, if required.static String
escapeEcmaScript(String input)
Escapes the characters in aString
using EcmaScript String rules.static String
escapeHtml3(String input)
Escapes the characters in aString
using HTML entities.static String
escapeHtml4(String input)
Escapes the characters in aString
using HTML entities.static String
escapeJava(String input)
Escapes the characters in aString
using Java String rules.static String
escapeJson(String input)
Escapes the characters in aString
using Json String rules.static String
escapeXml10(String input)
Escapes the characters in aString
using XML entities.static String
escapeXml11(String input)
Escapes the characters in aString
using XML entities.static String
escapeXSI(String input)
Escapes the characters in aString
using XSI rules.static String
unescapeCsv(String input)
Returns aString
value for an unescaped CSV column.static String
unescapeEcmaScript(String input)
Unescapes any EcmaScript literals found in theString
.static String
unescapeHtml3(String input)
Unescapes a string containing entity escapes to a string containing the actual Unicode characters corresponding to the escapes.static String
unescapeHtml4(String input)
Unescapes a string containing entity escapes to a string containing the actual Unicode characters corresponding to the escapes.static String
unescapeJava(String input)
Unescapes any Java literals found in theString
.static String
unescapeJson(String input)
Unescapes any Json literals found in theString
.static String
unescapeXml(String input)
Unescapes a string containing XML entity escapes to a string containing the actual Unicode characters corresponding to the escapes.static String
unescapeXSI(String input)
Unescapes the characters in aString
using XSI rules.
-
Field Details
-
ESCAPE_JAVA
Translator object for escaping Java. WhileescapeJava(String)
is the expected method of use, this object allows the Java escaping functionality to be used as the foundation for a custom translator. -
ESCAPE_ECMASCRIPT
Translator object for escaping EcmaScript/JavaScript. WhileescapeEcmaScript(String)
is the expected method of use, this object allows the EcmaScript escaping functionality to be used as the foundation for a custom translator. -
ESCAPE_JSON
Translator object for escaping Json. WhileescapeJson(String)
is the expected method of use, this object allows the Json escaping functionality to be used as the foundation for a custom translator. -
ESCAPE_XML10
Translator object for escaping XML 1.0. WhileescapeXml10(String)
is the expected method of use, this object allows the XML escaping functionality to be used as the foundation for a custom translator. -
ESCAPE_XML11
Translator object for escaping XML 1.1. WhileescapeXml11(String)
is the expected method of use, this object allows the XML escaping functionality to be used as the foundation for a custom translator. -
ESCAPE_HTML3
Translator object for escaping HTML version 3.0. WhileescapeHtml3(String)
is the expected method of use, this object allows the HTML escaping functionality to be used as the foundation for a custom translator. -
ESCAPE_HTML4
Translator object for escaping HTML version 4.0. WhileescapeHtml4(String)
is the expected method of use, this object allows the HTML escaping functionality to be used as the foundation for a custom translator. -
ESCAPE_CSV
Translator object for escaping individual Comma Separated Values. WhileescapeCsv(String)
is the expected method of use, this object allows the CSV escaping functionality to be used as the foundation for a custom translator. -
ESCAPE_XSI
Translator object for escaping Shell command language.- See Also:
- Shell Command Language
-
UNESCAPE_JAVA
Translator object for unescaping escaped Java. WhileunescapeJava(String)
is the expected method of use, this object allows the Java unescaping functionality to be used as the foundation for a custom translator. -
UNESCAPE_ECMASCRIPT
Translator object for unescaping escaped EcmaScript. WhileunescapeEcmaScript(String)
is the expected method of use, this object allows the EcmaScript unescaping functionality to be used as the foundation for a custom translator. -
UNESCAPE_JSON
Translator object for unescaping escaped Json. WhileunescapeJson(String)
is the expected method of use, this object allows the Json unescaping functionality to be used as the foundation for a custom translator. -
UNESCAPE_HTML3
Translator object for unescaping escaped HTML 3.0. WhileunescapeHtml3(String)
is the expected method of use, this object allows the HTML unescaping functionality to be used as the foundation for a custom translator. -
UNESCAPE_HTML4
Translator object for unescaping escaped HTML 4.0. WhileunescapeHtml4(String)
is the expected method of use, this object allows the HTML unescaping functionality to be used as the foundation for a custom translator. -
UNESCAPE_XML
Translator object for unescaping escaped XML. WhileunescapeXml(String)
is the expected method of use, this object allows the XML unescaping functionality to be used as the foundation for a custom translator. -
UNESCAPE_CSV
Translator object for unescaping escaped Comma Separated Value entries. WhileunescapeCsv(String)
is the expected method of use, this object allows the CSV unescaping functionality to be used as the foundation for a custom translator. -
UNESCAPE_XSI
Translator object for unescaping escaped XSI Value entries. WhileunescapeXSI(String)
is the expected method of use, this object allows the XSI unescaping functionality to be used as the foundation for a custom translator.
-
-
Constructor Details
-
StringEscapeUtils
public StringEscapeUtils()StringEscapeUtils
instances should NOT be constructed in standard programming.Instead, the class should be used as:
StringEscapeUtils.escapeJava("foo");
This constructor is public to permit tools that require a JavaBean instance to operate.
-
-
Method Details
-
builder
Get aStringEscapeUtils.Builder
.- Parameters:
translator
- the text translator- Returns:
StringEscapeUtils.Builder
-
escapeJava
Escapes the characters in a
String
using Java String rules.Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.)
So a tab becomes the characters
'\\'
and't'
.The only difference between Java strings and JavaScript strings is that in JavaScript, a single quote and forward-slash (/) are escaped.
Example:
input string: He didn't say, "Stop!" output string: He didn't say, \"Stop!\"
- Parameters:
input
- String to escape values in, may be null- Returns:
- String with escaped values,
null
if null string input
-
escapeEcmaScript
Escapes the characters in a
String
using EcmaScript String rules.Escapes any values it finds into their EcmaScript String form. Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.)
So a tab becomes the characters
'\\'
and't'
.The only difference between Java strings and EcmaScript strings is that in EcmaScript, a single quote and forward-slash (/) are escaped.
Note that EcmaScript is best known by the JavaScript and ActionScript dialects.
Example:
input string: He didn't say, "Stop!" output string: He didn\'t say, \"Stop!\"
Security Note. We only provide backslash escaping in this method. For example,'\"'
has the output'\\\"'
which could result in potential issues in the case where the string being escaped is being used in an HTML tag like<select onmouseover="..." />
. If you wish to have more rigorous string escaping, you may consider the ESAPI Libraries. Further, you can view the ESAPI GitHub Org.- Parameters:
input
- String to escape values in, may be null- Returns:
- String with escaped values,
null
if null string input
-
escapeJson
Escapes the characters in a
String
using Json String rules.Escapes any values it finds into their Json String form. Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.)
So a tab becomes the characters
'\\'
and't'
.The only difference between Java strings and Json strings is that in Json, forward-slash (/) is escaped.
See http://www.ietf.org/rfc/rfc4627.txt for further details.
Example:
input string: He didn't say, "Stop!" output string: He didn't say, \"Stop!\"
- Parameters:
input
- String to escape values in, may be null- Returns:
- String with escaped values,
null
if null string input
-
unescapeJava
Unescapes any Java literals found in the
String
. For example, it will turn a sequence of'\'
and'n'
into a newline character, unless the'\'
is preceded by another'\'
.- Parameters:
input
- theString
to unescape, may be null- Returns:
- a new unescaped
String
,null
if null string input
-
unescapeEcmaScript
Unescapes any EcmaScript literals found in the
String
.For example, it will turn a sequence of
'\'
and'n'
into a newline character, unless the'\'
is preceded by another'\'
.- Parameters:
input
- theString
to unescape, may be null- Returns:
- A new unescaped
String
,null
if null string input - See Also:
unescapeJava(String)
-
unescapeJson
Unescapes any Json literals found in the
String
.For example, it will turn a sequence of
'\'
and'n'
into a newline character, unless the'\'
is preceded by another'\'
.- Parameters:
input
- theString
to unescape, may be null- Returns:
- A new unescaped
String
,null
if null string input - See Also:
unescapeJava(String)
-
escapeHtml4
Escapes the characters in a
String
using HTML entities.For example:
becomes:"bread" & "butter"
&quot;bread&quot; &amp; &quot;butter&quot;
.Supports all known HTML 4.0 entities, including funky accents. Note that the commonly used apostrophe escape character (') is not a legal entity and so is not supported).
- Parameters:
input
- theString
to escape, may be null- Returns:
- a new escaped
String
,null
if null string input - See Also:
- ISO Entities, HTML 3.2 Character Entities for ISO Latin-1, HTML 4.0 Character entity references, HTML 4.01 Character References, HTML 4.01 Code positions
-
escapeHtml3
Escapes the characters in a
String
using HTML entities.Supports only the HTML 3.0 entities.
- Parameters:
input
- theString
to escape, may be null- Returns:
- a new escaped
String
,null
if null string input
-
unescapeHtml4
Unescapes a string containing entity escapes to a string containing the actual Unicode characters corresponding to the escapes. Supports HTML 4.0 entities.
For example, the string
"<Français>"
will become"<Fran�ais>"
If an entity is unrecognized, it is left alone, and inserted verbatim into the result string. e.g.
">&zzzz;x"
will become">&zzzz;x"
.- Parameters:
input
- theString
to unescape, may be null- Returns:
- a new unescaped
String
,null
if null string input
-
unescapeHtml3
Unescapes a string containing entity escapes to a string containing the actual Unicode characters corresponding to the escapes. Supports only HTML 3.0 entities.
- Parameters:
input
- theString
to unescape, may be null- Returns:
- a new unescaped
String
,null
if null string input
-
escapeXml10
Escapes the characters in a
String
using XML entities.For example:
"bread" & "butter"
=>"bread" & "butter"
.Note that XML 1.0 is a text-only format: it cannot represent control characters or unpaired Unicode surrogate codepoints, even after escaping.
escapeXml10
will remove characters that do not fit in the following ranges:#x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]
Though not strictly necessary,
escapeXml10
will escape characters in the following ranges:[#x7F-#x84] | [#x86-#x9F]
The returned string can be inserted into a valid XML 1.0 or XML 1.1 document. If you want to allow more non-text characters in an XML 1.1 document, use
escapeXml11(String)
.- Parameters:
input
- theString
to escape, may be null- Returns:
- a new escaped
String
,null
if null string input - See Also:
unescapeXml(java.lang.String)
-
escapeXml11
Escapes the characters in a
String
using XML entities.For example:
"bread" & "butter"
=>"bread" & "butter"
.XML 1.1 can represent certain control characters, but it cannot represent the null byte or unpaired Unicode surrogate codepoints, even after escaping.
escapeXml11
will remove characters that do not fit in the following ranges:[#x1-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]
escapeXml11
will escape characters in the following ranges:[#x1-#x8] | [#xB-#xC] | [#xE-#x1F] | [#x7F-#x84] | [#x86-#x9F]
The returned string can be inserted into a valid XML 1.1 document. Do not use it for XML 1.0 documents.
- Parameters:
input
- theString
to escape, may be null- Returns:
- a new escaped
String
,null
if null string input - See Also:
unescapeXml(java.lang.String)
-
unescapeXml
Unescapes a string containing XML entity escapes to a string containing the actual Unicode characters corresponding to the escapes.
Supports only the five basic XML entities (gt, lt, quot, amp, apos). Does not support DTDs or external entities.
Note that numerical \\u Unicode codes are unescaped to their respective Unicode characters. This may change in future releases.
- Parameters:
input
- theString
to unescape, may be null- Returns:
- a new unescaped
String
,null
if null string input - See Also:
escapeXml10(String)
,escapeXml11(String)
-
escapeCsv
Returns a
String
value for a CSV column enclosed in double quotes, if required.If the value contains a comma, newline or double quote, then the String value is returned enclosed in double quotes.
Any double quote characters in the value are escaped with another double quote.
If the value does not contain a comma, newline or double quote, then the String value is returned unchanged.
see Wikipedia and RFC 4180.- Parameters:
input
- the input CSV column String, may be null- Returns:
- The input String, enclosed in double quotes if the value contains a comma,
newline or double quote,
null
if null string input
-
unescapeCsv
Returns a
String
value for an unescaped CSV column.If the value is enclosed in double quotes, and contains a comma, newline or double quote, then quotes are removed.
Any double quote escaped characters (a pair of double quotes) are unescaped to just one double quote.
If the value is not enclosed in double quotes, or is and does not contain a comma, newline or double quote, then the String value is returned unchanged.
see Wikipedia and RFC 4180.- Parameters:
input
- the input CSV column String, may be null- Returns:
- The input String, with enclosing double quotes removed and embedded double
quotes unescaped,
null
if null string input
-
escapeXSI
Escapes the characters in a
String
using XSI rules.Beware! In most cases you don't want to escape shell commands but use multi-argument methods provided by
ProcessBuilder
orRuntime.exec(String[])
instead.Example:
input string: He didn't say, "Stop!" output string: He\ didn\'t\ say,\ \"Stop!\"
- Parameters:
input
- String to escape values in, may be null- Returns:
- String with escaped values,
null
if null string input - See Also:
- Shell Command Language
-
unescapeXSI
Unescapes the characters in a
String
using XSI rules.- Parameters:
input
- theString
to unescape, may be null- Returns:
- a new unescaped
String
,null
if null string input - See Also:
escapeXSI(String)
-