Escaping in Liferay

Hello

this page describes the mechanism to avoid escape charecter(JS, HTML) in liferay.
Following method are to prevent xss attacks and follows OWASP's recommendation for escaping. You can found in the class HtmlUtil:

The Functions are:

• HtmlUtil.escape() is for inserting untrusted data into an HTML element
• HtmlUtil.escapeHREF() is for inserting full URLs into the href attribute
• HtmlUtil.escapeURL() is for inserting untrusted data into URL parameter values
• HtmlUtil.escapeAttribute() is for inserting untrusted data into HTML element attribute values
• HtmlUtil.escapeCSS() is for inserting untrusted data into CSS property values
• HtmlUtil.escapeJS() is for inserting untrusted data into JavaScript strings

Escaping at the right time is import to make sure that:
1)  Data is not escaped multiple times.
2)  Data is not changed to a different value before all business logic is done          processing.

 General Rule 1 : Don't escape before persisting

There's a few reason why it's generally a bad idea to escape the data before it's persisted.

1.     It increases the size of the data that must be stored
2.     You may need the original at some point in the future. If the data is escaped already, it'll be very difficult to get back the original.

General Rule 2 : Escape at the last minute

Escaping should be done at the last minute. This avoids situations where the data is escaped before all the business logic is done. Practically, this means that most of the escaping should be done in .jsp files and not in .java files.

The values in a Language.properties file may contain HTML elements and they are always safe. So, you should avoid

HtmlUtil.escape(LanguageUtil.format(pageContext, "entries-with-tag-x", tagName))

and instead do

LanguageUtil.format(pageContext, "entries-with-tag-x", HtmlUtil.escape(tagName))