Arbitrary text placed in an HTML tag often needs to be altered, to ensure that the resulting HTML remains valid.

Problem characters can include:

• <
• >
• "
• '
• \
• &

These characters can be replaced with HTML character entities. For example, < can be replaced with &lt;.

Query strings (Blah=1&Name=Bob) often need to be escaped as well. If the query string contains special characters, it will need to be "URL encoded". (See the javadoc for the URLEncoder class for further information.) This will ensure the query string conforms with valid HTTP.

There's often a second issue, however, with regard to query strings. If a query string is placed in an HREF attribute, then even a URL encoded query string is often not of valid form. This is because URLEncoder produces valid HTTP, but it doesn't in general produce text which is a valid HTML attribute - the ampersand character needs to be replaced by the corresponding character entity &amp;.

Here is an example of a utility class which escapes special characters for HTML, XML, regular expressions, and so on. 

package hirondelle.web4j.util;

import java.net.URLEncoder;
import java.io.UnsupportedEncodingException;
import java.text.CharacterIterator;
import java.text.StringCharacterIterator;
import java.util.regex.Pattern;
import java.util.regex.Matcher;

import hirondelle.web4j.security.SafeText;
import hirondelle.web4j.ui.translate.Text;
import hirondelle.web4j.ui.translate.Tooltips;
import hirondelle.web4j.ui.translate.TextFlow;
import hirondelle.web4j.ui.tag.Populate;
import hirondelle.web4j.database.Report;