Escaping
Introduction #
This page describes the mechanisms in Liferay to escape characters.
All the escape methods are designed to prevent XSS attacks and follows OWASP's recommendations for escaping. They can be found in the class HtmlUtil:
The Functions #
- HtmlUtil.escape() is for inserting untrusted data into an HTML element
- HtmlUtil.escapeHREF() is for inserting full URLs into the href attribute
- HtmlUtil.escapeURL() is for inserting untrusted data into URL parameter values
- HtmlUtil.escapeAttribute() is for inserting untrusted data into HTML element attribute values
- HtmlUtil.escapeCSS() is for inserting untrusted data into CSS property values
- HtmlUtil.escapeJS() is for inserting untrusted data into JavaScript strings
When to Escape #
Escaping at the right time is important to make sure that 1) data is not escaped multiple times and 2) data is not changed to a different value before all business logic is done processing.
General Rule 1 : Don't escape before persisting #
There's a few reason why it's generally a bad idea to escape the data before it's persisted.
- It increases the size of the data that must be stored
- You may need the original at some point in the future. If the data is escaped already, it'll be very difficult to get back the original.
General Rule 2 : Escape at the last minute #
Escaping should be done at the last minute. This avoids situations where the data is escaped before all the business logic is done. Practically, this means that most of the escaping should be done in .jsp files and not in .java files.
Pattern 1 : LanguageUtil #
The values in a Language.properties file may contain HTML elements and they are always safe. So, you should avoid
HtmlUtil.escape(LanguageUtil.format(pageContext, "entries-with-tag-x", tagName))
and instead do
LanguageUtil.format(pageContext, "entries-with-tag-x", HtmlUtil.escape(tagName))
