Java -> Apache Commons StringEscapeUtils -> escapeJavaScript

For a very simple ajax name lookup, I'm sending an id from the client webpage to the server (Tomcat 5.5, Java 5), looking it up in a database and returning a string, which is assigned to a javascript variable back in the client (and then displayed).

The javascript code that receives the value is pretty standard:

//client code - javascript
xmlHttp.onreadystatechange=function() {
    if (xmlHttp.readyState==4) {
        var result = xmlHttp.responseText;

To return the string, I originally had this in the server:

//server code - java
myString = "...";

Which worked perfectly, if unsafe. Later, I replaced it with:

import org.apache.commons.lang.StringEscapeUtils;
myString = "...";

But while safer, the resulting string can't be properly displayed if it contains special chars like "ñ".

For instance, using:




to the client.

The question: is there a simple way to parse the resulting string in Javascript or is there an alternate escape function I can use in java that would prevent this issue?

Asked by: Edward982 | Posted: 28-01-2022

Answer 1

The following works in every browser I've tried:


Perhaps your string is being escaped twice by mistake.

Answered by: Rubie301 | Posted: 01-03-2022

Answer 2

Actually, now that I read it over, I think I actually don't need to escape the string I'm sending back at all... That is, StringEscapeUtils.escapeJavaScript would be useful if the resulting value was printed in the page, like:

//javascript code with inline struts
var myJavasriptString = "<%=myJavaString%>";

Or am I missing something and there would still be a valid reason to do the escape in the original case? (when it is returned as a series of bytes back to an ajax onreadystatechange handler and assigned to a js variable)

Answered by: Alina534 | Posted: 01-03-2022

Similar questions

java - Apache commons-lang StringEscapeUtils don't escape XML

I need to espace some control characters in XML, like the ASCII 31 character and the hex 0x0b character and others. I tried uses StringEscapeUtils of commons-lang but don't work as expected!

java - Apache Commons Text StringEscapeUtils vs JSoup for XSS prevention?

I want to clean user input for help preventing XSS attacks and we don't necessarily care to have a HTML whitelist, as our users shouldn't need to post any HTML / CSS. Eyeing the alternatives out there, which would be better? [Apache Commons Text's StringEscapeUtils] [1] or [JSoup Cleaner][2]? Thanks! Update: I went with JSoup after writing some unit tests for both it and Apache...

java - StringEscapeUtils find out if string is escaped

I've been using StringEscapeUtils.escapeHTML to escape URLs. Is there something similar to find out if the string is already escaped?

java - StringEscapeUtils can not be resolved

I have added the dependency in pom.xml &lt;dependency&gt; &lt;groupId&gt;org.apache.commons&lt;/groupId&gt; &lt;artifactId&gt;commons-lang3&lt;/artifactId&gt; &lt;version&gt;3.1&lt;/version&gt; &lt;/dependency&gt; but when i update maven dependencies and import the EscapeStringUtils using import

java - Issue with StringEscapeUtils call and JSP form submit value

I am passing some param with value from my JSP file and before that I am using Apache StringEscapeUtils to avoid any XSS attack script execution using param value for example, if somebody inserting value like this and gain access Cross script test is currently failing when something like this is passed as value site_locale=en_US%2F%3E%3Ciframe+src%3Djavascript%3Aalert%28116%29+...

java - How can I use the StringEscapeUtils Class to secure the code from LDAP injection vulnerabilities?

How can I use the StringEscapeUtils Class to secure the code from LDAP injection vulnerabilities? How do I escape searchBase, searchMask, scontrols? try { do { NamingEnumeration&lt;SearchResult&gt; answer = null; try { answer =, searchMask, scontrols); printSearchEnumeration(answer); if (maxSize == 0) exceedLimit = fa...

java - Android - decode unicode characters without StringEscapeUtils?

When I use Gson (JsonParser.parse) to decode the following: { "item": "Bread", "cost": {"currency": "\u0024", "amount": "3"}, "description": "This is bread\u2122. \u00A92015" } The "currency" element is returned as a string of characters (and is not converted to a uni...

java - StringEscapeUtils cannot be resolved

I am currently attempting to access a code designed by another programmer in my company. My job is to take his code from the jar he designed and make it easier to use for those who are less technologically savvy. The first time I tried to run the code, it seemed to run fine, but for some reason the second time, it gave me the following error: "StringEscapeUtils cannot be resolved"

java - stringescapeutils unescape en dash with code &#150

I am getting an xml from a third party system in utf-8 format and I am trying to parse it properly and save it in my db. For example below are 4 lines of the xml that I am getting and when I try to use unescapeXML it works for everything except en dash. String one = "&lt;Name&gt;test &amp;apos; test&lt;/Name&gt;"; String two = "&lt;Fi&gt;Em &amp;#150; S&lt;/Fi&gt;"; String three = "&lt;FirstName&gt;a1 &...

java - StringEscapeUtils escapeJava is escaping pound signs

I'm trying to escape a string to ensure that special characters are escaped. Using StringEscapeUtils.escapeJava("????") escapes to \\uD83D\\uDE00 StringEscapeUtils.escapeJava("% ! @ $ ^ &amp; * ") doesn't escape any of the characters StringEscapeUtils.escapeJava("£") escapes to \\u00A3 I can understand that emojis contain backslashes and so are escaped, but why is the pound s...

Still can't find your answer? Check out these amazing Java communities for help...

Java Reddit Community | Java Help Reddit Community | Java Community | Java Discord | Java Programmers (Facebook) | Java developers (Facebook)