Very similar to this question, except for Java.
What is the recommended way of encoding strings for an XML output in Java. The strings might contain characters like "&", "<", etc.
Add a comment
|
21 Answers
As others have mentioned, using an XML library is the easiest way. If you do want to escape yourself, you could look into StringEscapeUtils from the Apache Commons Lang library.
7 Comments
Chase Seibert
This could be the way to go if you don't care about absolute correctness, for example if you are putting together a prototype.
Oleg K
Use
StringEscapeUtils.escapeXml(str) from commons-lang. I use it in App Engine application - work like a charm. Here is the Java Doc for this function:
Chetan Kinger
The escapeXml method of StringEscapeUtils seems to be a bit costly. Is there a more efficient method that operates on a StringBuffer instead of a String?
Lii
Do this method work for both XML content and attributes? To me it seems like it doesn't work for attributes. It doesn't seem to escape
\t, \n and \r.
Gregor
Note that it has been moved from
commons-lang to commons-text |
Very simply: use an XML library. That way it will actually be right instead of requiring detailed knowledge of bits of the XML spec.
22 Comments
Tim Cooper
Can you recommend such a library? (I find it surprising that this is not a standard part of Java edition 5...such a common task).
Jon Skeet
XML is part of the standard Java framework - look in org.w3c.sax and org.w3c.dom. However, there are some easier-to-use framework around as well, such as JDom. Note that there may not be an "encoding strings for XML output" method - I was more recommending that the whole XML task should be done with a library rather than just doing bits at a time with string manipulation.
Stephen
This is not such useful advice when outputting XHTML - FlyingSaucer requires XML, but there ain't no way I'm templating through an XML lib :). Thankfully StringTemplate allows me to quickly escape all String objects.
Jon Skeet
@mice: The question is tagged Java, and Java has lots of XML libraries. Indeed, there are XML APIs baked into Java, so there'd be no need to add anything else... but even if you did, a few hundred K is rarely a problem outside mobile these days. Even if it weren't Java, I'd be very wary of developing on a platform which didn't have any XML APIs...
Jon Skeet
@mice: The DOM API is perfectly capable of generating XML. Or there are fairly small third-party libraries. (JDom's jar file is 114K for example.) Using an XML API is still the recommended way of creating XML.
|
Just use.
<![CDATA[ your text here ]]>
This will allow any characters except the ending
]]>
So you can include characters that would be illegal such as & and >. For example.
<element><![CDATA[ characters such as & and > are allowed ]]></element>
However, attributes will need to be escaped as CDATA blocks can not be used for them.
6 Comments
Mads Hansen
In most cases, that is not what you should do. Too many people abuse the CDATA tags. The intent of the CDATA is to tell the processor not to process it as XML and just pass it through. If you are trying to create an XML file, then you should be creating XML, not just passing bytes through some wrapping element.
Thorbjørn Ravn Andersen
@Mads, using CDATA results in a valid XML file so it is just as fine as doing it the "right way". If you dislike it, then parse it afterwards, identity transform it, and print it.
Stijn de Witt
If you wrap text in a CDATA element you have to escape the CDATA closing marker: "]]>"... except you cannot escape that. So instead you have to break your code into pieces where you put half of the data in one CDATA element and the other half in a second: <![CDATA[This data contain a CDATA closing marker: "]]]]><![CDATA[>" that is why it had to be split up.]]> ... In the end it may be a lot simpler to just escape '<', '>' and '&' instead. Of course many apps ignore the potential problem with CDATA closing markers in the data. Ignorance is bliss I guess. :)
dnault
@StijndeWitt is absolutely correct. CDATA is not a panacea for escaping special characters.
Florian F
This is a bad idea. CDATA does not allow any character outside of the XML's encoding.
|
This question is eight years old and still not a fully correct answer! No, you should not have to import an entire third party API to do this simple task. Bad advice.
The following method will:
- correctly handle characters outside the basic multilingual plane
- escape characters required in XML
- escape any non-ASCII characters, which is optional but common
- replace illegal characters in XML 1.0 with the Unicode substitution character. There is no best option here - removing them is just as valid.
I've tried to optimise for the most common case, while still ensuring you could pipe /dev/random through this and get a valid string in XML.
public static String encodeXML(String s) {
StringBuilder sb = new StringBuilder();
int len = s.length();
for (int i=0;i<len;) {
int c = s.codePointAt(i);
if (c < 0x80) { // ASCII range: test most common case first
if (c < 0x20 && (c != '\t' && c != '\r' && c != '\n')) {
// Illegal XML character, even encoded. Skip or substitute
sb.append("�"); // Unicode replacement character
} else {
switch(c) {
case '&': sb.append("&"); break;
case '>': sb.append(">"); break;
case '<': sb.append("<"); break;
// Uncomment next two if encoding for an XML attribute
// case '\'' sb.append("'"); break;
// case '\"' sb.append("""); break;
// Uncomment next three if you prefer, but not required
// case '\n' sb.append(" "); break;
// case '\r' sb.append(" "); break;
// case '\t' sb.append("	"); break;
default: sb.append((char)c);
}
}
} else if ((c >= 0xd800 && c <= 0xdfff) || c == 0xfffe || c == 0xffff) {
// Illegal XML character, even encoded. Skip or substitute
sb.append("�"); // Unicode replacement character
} else {
sb.append("&#x");
sb.append(Integer.toHexString(c));
sb.append(';');
}
i += c <= 0xffff ? 1 : 2;
}
return sb.toString();
}
Edit: for those who continue to insist it foolish to write your own code for this when there are perfectly good Java APIs to deal with XML, you might like to know that the StAX API included with Oracle Java 8 (I haven't tested others) fails to encode CDATA content correctly: it doesn't escape ]]> sequences in the content. A third party library, even one that's part of the Java core, is not always the best option.
6 Comments
jschnasse
+1 for standalone code. Just comparing your code with guava implementation, I'm wondering what about '\t','\n','\r' ? See also notes at guava docs
Mike B
There's no need to escape \n, \r and \t, they are valid, although they do make formatting a bit ugly. I've modified the code to show how to escsape them if that's what you want.
kmkaplan
There is no way to "escape ]]>" in CDATA.
Mike B
Then it should reject the content by throwing an IllegalArgumentException. Under no circumstances should it claim to succeed but still output invalid XML.
stonar96
Instead of replacing illegal characters in XML 1.0 with the Unicode substitution character you can use my methods here stackoverflow.com/a/59475093/3882565.
|
Try this:
String xmlEscapeText(String t) {
StringBuilder sb = new StringBuilder();
for(int i = 0; i < t.length(); i++){
char c = t.charAt(i);
switch(c){
case '<': sb.append("<"); break;
case '>': sb.append(">"); break;
case '\"': sb.append("""); break;
case '&': sb.append("&"); break;
case '\'': sb.append("'"); break;
default:
if(c>0x7e) {
sb.append("&#"+((int)c)+";");
}else
sb.append(c);
}
}
return sb.toString();
}
16 Comments
Jon Skeet
You've got at least two bugs that I can see. One is subtle, the other isn't. I wouldn't have such a bug - because I wouldn't reinvent the wheel in the first place.
ceving
And iterating through Unicode strings is a bit more complicated. See here: stackoverflow.com/q/1527856/402322
Myobis
Not sure it is subtle but It'd better consider the case where
t==null.
Roger F. Gay
I'm happy with the final version. Java SE is compact, fast, and efficient. Doing just what needs to be done rather than downloading another 100 MB of bloatware is always better in my book.
Mike B
All characters below 0x20 except 0x09, 0x0A and 0x0D are invalid in XML. This applies whether they are escaped or not. The only correct way to handle those is to skip them or throw an Exception. Other than that, this is a good solution and similar to the one we'd typically use.
|
StringEscapeUtils.escapeXml() does not escape control characters (< 0x20). XML 1.1 allows control characters; XML 1.0 does not. For example, XStream.toXML() will happily serialize a Java object's control characters into XML, which an XML 1.0 parser will reject.
To escape control characters with Apache commons-lang, use
NumericEntityEscaper.below(0x20).translate(StringEscapeUtils.escapeXml(str))
Comments
public String escapeXml(String s) {
return s.replaceAll("&", "&").replaceAll(">", ">").replaceAll("<", "<").replaceAll("\"", """).replaceAll("'", "'");
}
4 Comments
daiscog
Chaining
replaceAll calls is very inefficient, especially for large strings. Every call results in a new String object being created, which will hang around until garbage collected. Also, each call requires looping through the string again. This could be consolidated into one single manual loop with comparisons against each target char in every iteration.
Stimpson Cat
This should be the accepted answer, even if it is inefficient. It solves the problem in a single line.
David Balažic
And it has many bugs. See this comment above
stonar96
To fix these bugs you can additionally use my method here stackoverflow.com/a/59475093/3882565. Note that this is not a replacement but it can be used additionally.
For those looking for the quickest-to-write solution: use methods from apache commons-lang:
StringEscapeUtils.escapeXml10()for xml 1.0StringEscapeUtils.escapeXml11()for xml 1.1StringEscapeUtils.escapeXml()is now deprecated, but was used commonly in the past
Remember to include dependency:
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.5</version> <!--check current version! -->
</dependency>
1 Comment
Trisped
Note that it has been moved from commons-lang to commons-text
While idealism says use an XML library, IMHO if you have a basic idea of XML then common sense and performance says template it all the way. It's arguably more readable too. Though using the escaping routines of a library is probably a good idea.
Consider this: XML was meant to be written by humans.
Use libraries for generating XML when having your XML as an "object" better models your problem. For example, if pluggable modules participate in the process of building this XML.
Edit: as for how to actually escape XML in templates, use of CDATA or escapeXml(string) from JSTL are two good solutions, escapeXml(string) can be used like this:
<%@taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
<item>${fn:escapeXml(value)}</item>
Comments
The behavior of StringEscapeUtils.escapeXml() has changed from Commons Lang 2.5 to 3.0. It now no longer escapes Unicode characters greater than 0x7f.
This is a good thing, the old method was to be a bit to eager to escape entities that could just be inserted into a utf8 document.
The new escapers to be included in Google Guava 11.0 also seem promising: http://code.google.com/p/guava-libraries/issues/detail?id=799
2 Comments
jhclark
Here's Guava's XML escaper: code.google.com/p/guava-libraries/source/browse/guava/src/com/…. In general, I've found Guava to be better architected than Apache Commons.
While I agree with Jon Skeet in principle, sometimes I don't have the option to use an external XML library. And I find it peculiar the two functions to escape/unescape a simple value (attribute or tag, not full document) are not available in the standard XML libraries included with Java.
As a result and based on the different answers I have seen posted here and elsewhere, here is the solution I've ended up creating (nothing worked as a simple copy/paste):
public final static String ESCAPE_CHARS = "<>&\"\'";
public final static List<String> ESCAPE_STRINGS = Collections.unmodifiableList(Arrays.asList(new String[] {
"<"
, ">"
, "&"
, """
, "'"
}));
private static String UNICODE_NULL = "" + ((char)0x00); //null
private static String UNICODE_LOW = "" + ((char)0x20); //space
private static String UNICODE_HIGH = "" + ((char)0x7f);
//should only be used for the content of an attribute or tag
public static String toEscaped(String content) {
String result = content;
if ((content != null) && (content.length() > 0)) {
boolean modified = false;
StringBuilder stringBuilder = new StringBuilder(content.length());
for (int i = 0, count = content.length(); i < count; ++i) {
String character = content.substring(i, i + 1);
int pos = ESCAPE_CHARS.indexOf(character);
if (pos > -1) {
stringBuilder.append(ESCAPE_STRINGS.get(pos));
modified = true;
}
else {
if ( (character.compareTo(UNICODE_LOW) > -1)
&& (character.compareTo(UNICODE_HIGH) < 1)
) {
stringBuilder.append(character);
}
else {
//Per URL reference below, Unicode null character is always restricted from XML
//URL: https://en.wikipedia.org/wiki/Valid_characters_in_XML
if (character.compareTo(UNICODE_NULL) != 0) {
stringBuilder.append("&#" + ((int)character.charAt(0)) + ";");
}
modified = true;
}
}
}
if (modified) {
result = stringBuilder.toString();
}
}
return result;
}
The above accommodates several different things:
- avoids using char based logic until it absolutely has to - improves unicode compatibility
- attempts to be as efficient as possible given the probability is the second "if" condition is likely the most used pathway
- is a pure function; i.e. is thread-safe
- optimizes nicely with the garbage collector by only returning the contents of the StringBuilder if something actually changed - otherwise, the original string is returned
At some point, I will write the inversion of this function, toUnescaped(). I just don't have time to do that today. When I do, I will come update this answer with the code. :)
answered Dec 19, 2013 at 23:09
chaotic3quilibrium
5,9559 gold badges59 silver badges96 bronze badges
7 Comments
RuntimeException
Looks pretty good to me. I do not wish to add another jar to my project for only one method. If you please grant permission, may I copy paste your code in mine?
chaotic3quilibrium
@SatishMotwani Of course you can take the above code and do with it as you like. It's my understanding that any code published on StackOverflow is assumed to be copyright free (isn't covered as a work in totality). On the flip side, it would be exceedingly difficult for someone to press any sort of copyright claim and expect an sort of outcome for themselves.
David Balažic
You forgot to handle NUL characters. And maybe other things too.
chaotic3quilibrium
@DavidBalažic Okay, please explain in more detail what I might have missed it? Please read through the code more closely. I handled EVERY SINGLE Unicode character (of the 1,111,998), including the
null character. Can you explain the definition of the two values, UNICODE_LOW and UNICODE_HIGH? Please reread the if that uses those two values. Notice null (\u0000 which is (int)0) doesn't fall between these two values. Read out how it becomes properly "escaped" just like ALL Unicode characters existing outside the UNICODE_LOW and UNICODE_HIGH range, by using the &# technique.David Balažic
@chaotic3quilibrium NULL is illegal in XML (and some other characters too). Doesn't matter how you encode it. It is illegal. (also: there is really no need to escape Unicode characters, they are nicely supported in XML, except if the XML document has a non-Unicode encoding itself)
|
Note: Your question is about escaping, not encoding. Escaping is using <, etc. to allow the parser to distinguish between "this is an XML command" and "this is some text". Encoding is the stuff you specify in the XML header (UTF-8, ISO-8859-1, etc).
First of all, like everyone else said, use an XML library. XML looks simple but the encoding+escaping stuff is dark voodoo (which you'll notice as soon as you encounter umlauts and Japanese and other weird stuff like "full width digits" (&#FF11; is 1)). Keeping XML human readable is a Sisyphus' task.
I suggest never to try to be clever about text encoding and escaping in XML. But don't let that stop you from trying; just remember when it bites you (and it will).
That said, if you use only UTF-8, to make things more readable you can consider this strategy:
- If the text does contain '<', '>' or '&', wrap it in
<![CDATA[ ... ]]> - If the text doesn't contain these three characters, don't warp it.
I'm using this in an SQL editor and it allows the developers to cut&paste SQL from a third party SQL tool into the XML without worrying about escaping. This works because the SQL can't contain umlauts in our case, so I'm safe.
Comments
If you are looking for a library to get the job done, try:
Guava 26.0 documented here
return XmlEscapers.xmlContentEscaper().escape(text);Note: There is also an
xmlAttributeEscaper()Apache Commons Text 1.4 documented here
StringEscapeUtils.escapeXml11(text)Note: There is also an
escapeXml10()method
Comments
To escape XML characters, the easiest way is to use the Apache Commons Lang project, JAR downloadable from: http://commons.apache.org/lang/
The class is this: org.apache.commons.lang3.StringEscapeUtils;
It has a method named "escapeXml", that will return an appropriately escaped String.
1 Comment
Daniel
Update: escapeXml is now deprecated - use escapeXml10. Ref commons.apache.org/proper/commons-lang/javadocs/api-3.3/org/…
You could use the Enterprise Security API (ESAPI) library, which provides methods like encodeForXML and encodeForXMLAttribute. Take a look at the documentation of the Encoder interface; it also contains examples of how to create an instance of DefaultEncoder.
Comments
Here's an easy solution and it's great for encoding accented characters too!
String in = "Hi Lârry & Môe!";
StringBuilder out = new StringBuilder();
for(int i = 0; i < in.length(); i++) {
char c = in.charAt(i);
if(c < 31 || c > 126 || "<>\"'\\&".indexOf(c) >= 0) {
out.append("&#" + (int) c + ";");
} else {
out.append(c);
}
}
System.out.printf("%s%n", out);
Outputs
Hi Lârry & Môe!
1 Comment
chaotic3quilibrium
Shouldn't the "31" in the first line of the "if" be "32"; i.e. less than the space character? And if "31" must remain, then shouldn't it be corrected to read "if (c <= 31 ||..." (additional equals sign following the less than sign)?
Try to encode the XML using Apache XML serializer
//Serialize DOM
OutputFormat format = new OutputFormat (doc);
// as a String
StringWriter stringOut = new StringWriter ();
XMLSerializer serial = new XMLSerializer (stringOut,
format);
serial.serialize(doc);
// Display the XML
System.out.println(stringOut.toString());
Comments
Just replace
& with &
And for other characters:
> with >
< with <
\" with "
' with '
Comments
Here's what I found after searching everywhere looking for a solution:
Get the Jsoup library:
<!-- https://mvnrepository.com/artifact/org.jsoup/jsoup -->
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.12.1</version>
</dependency>
Then:
import org.jsoup.Jsoup
import org.jsoup.nodes.Document
import org.jsoup.nodes.Entities
import org.jsoup.parser.Parser
String xml = '''<?xml version = "1.0"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV = "http://www.w3.org/2001/12/soap-envelope"
SOAP-ENV:encodingStyle = "http://www.w3.org/2001/12/soap-encoding">
<SOAP-ENV:Body xmlns:m = "http://www.example.org/quotations">
<m:GetQuotation>
<m:QuotationsName> MiscroSoft@G>>gle.com </m:QuotationsName>
</m:GetQuotation>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>'''
Document doc = Jsoup.parse(new ByteArrayInputStream(xml.getBytes("UTF-8")), "UTF-8", "", Parser.xmlParser())
doc.outputSettings().charset("UTF-8")
doc.outputSettings().escapeMode(Entities.EscapeMode.base)
println doc.toString()
Hope this helps someone
Comments
I have created my wrapper here, hope it will helps a lot, Click here You can modify depends on your requirements
