Escaping in Liferay

This page describes the mechanisms in Liferay to escape characters.
All the escape methods are designed to prevent XSS attacks and follows OWASP's recommendations for escaping. They can be found in the class HtmlUtil:

Functions:
____________________________________________________________________

• HtmlUtil.escape() is for inserting untrusted data into an HTML element
• HtmlUtil.escapeHREF() is for inserting full URLs into the href attribute
• HtmlUtil.escapeURL() is for inserting untrusted data into URL parameter values
• HtmlUtil.escapeAttribute() is for inserting untrusted data into HTML element attribute values
• HtmlUtil.escapeCSS() is for inserting untrusted data into CSS property values
• HtmlUtil.escapeJS() is for inserting untrusted data into JavaScript strings    

Escaping at the right time is important to make sure that 1) data is not escaped multiple times and 2) data is not changed to a different value before all business logic is done processing.

Rule 1 : Don't escape before persisting 

There's a few reason why it's generally a bad idea to escape the data before it's persisted.

1. It increases the size of the data that must be stored
2. You may need the original at some point in the future. If the data is escaped already, it'll be very difficult to get back the original.

Rule 2 : Escape at the last minute 

Escaping should be done at the last minute. This avoids situations where the data is escaped before all the business logic is done. Practically, this means that most of the escaping should be done in .jsp files and not in .java files.

Pattern 1 : LanguageUtil 

The values in a Language.properties file may contain HTML elements and they are always safe. So, you should avoid

HtmlUtil.escape(LanguageUtil.format(pageContext, "entries-with-tag-x", tagName))

and instead do

LanguageUtil.format(pageContext, "entries-with-tag-x", HtmlUtil.escape(tagName))