You really should use StringEscapeUtils.escapeHtml()from Apache Commons Langto instead of regex for this. E.g. all you need to do is:

为此，您确实应该使用StringEscapeUtils.escapeHtml()from Apache Commons Langto 而不是正则表达式。例如，您需要做的就是：

String escaped = StringEscapeUtils.escapeHtml(input);

The best practice to protect against XSS is to escape all HTML entities and this method handles those cases for you. Otherwise you'll be writing, testing and maintaining your own code to do what has already been done. See the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheetfor more details.

防止 XSS 的最佳做法是转义所有 HTML 实体，此方法会为您处理这些情况。否则，您将编写、测试和维护自己的代码来完成已经完成的工作。有关更多详细信息，请参阅OWASP XSS（跨站点脚本）预防备忘单。

Java regex shouldn't require any special treatment for angle brackets. This should work fine:

Java regex 不需要对尖括号进行任何特殊处理。这应该可以正常工作：

myString.replace("<", "less than").replace(">", "greater than");

Hope that helps.

希望有帮助。

-tjw

-tjw

As an alternative to regex, you can use a utility class like the Apache Commons StringEscapeUtilsclass to encode your HTML strings when they are posted back to the server and before storing them in the databse or re-sending them as output.

作为正则表达式的替代方案，您可以使用实用程序类（如 Apache Commons StringEscapeUtils类）在 HTML 字符串回发到服务器时以及将它们存储在数据库中或将它们作为输出重新发送之前对其进行编码。

Since you tagged this jsp, I'd like to add that the normal approach to escape HTML/XML in JSP is using the JSTL<c:out>tag or fn:escapeXml()function.

由于您标记了这个jsp，我想补充一点，在 JSP 中转义 HTML/XML 的正常方法是使用JSTL<c:out>标记或fn:escapeXml()函数。

E.g.

例如

<c:out value="${user.name}" />
<input type="text" name="name" value="${fn:escapeXml(user.name)}" />

No need for Apache Commons Lang. Plus, escaping should really be done in the view side, not in the model/controller side.

不需要 Apache Commons Lang。另外，转义应该在视图端完成，而不是在模型/控制器端。

See also:

也可以看看：

• XSS prevention in JSP

• JSP 中的 XSS 预防