They're designed for different purposes, HTML has lots of entities that XML doesn't. XML only has 5 escapes:

它们是为不同的目的而设计的，HTML 有很多 XML 没有的实体。XML 只有 5 个转义：

&lt; represents "<"
&gt; represents ">"
&amp; represents "&"
&apos; represents '
&quot; represents "

While HTML has loads - think of  ©etc. These HTML codes aren't valid in XML unless you include a definition in the header. The numeric codes (like ©for the copyright symbol) are valid in both.

虽然 HTML 有负载 - 想想 ©等等。这些 HTML 代码在 XML 中无效，除非您在标题中包含定义。数字代码（如©版权符号）在两者中都有效。

There's no such thing as escapeHtmlin JSP. You normally use <c:out escapeXml="true">(it by the way already defaults to true, so you can omit it) or fn:escapeXml()to escape HTML in JSP.

escapeHtml在 JSP 中没有这样的东西。您通常使用<c:out escapeXml="true">（顺便说一下，它已经默认为true，因此您可以省略它）或fn:escapeXml()在 JSP 中转义 HTML。

E.g.

例如

<c:out value="Welcome, ${user.name}" />
<input name="foo" value="${fn:escapeXml(param.foo)}" />

It will escape them as XML entities which works perfectly fine in plain HTML as well. They are only literally called XML entities because HTML entities are invalid in XML.

它会将它们转义为 XML 实体，这在纯 HTML 中也能正常工作。它们只是字面意义上的 XML 实体，因为 HTML 实体在 XML 中是无效的。

See also:

也可以看看：

• Java 5 HTML escaping To Prevent XSS
• Escaping html in Java

• Java 5 HTML 转义以防止 XSS
• 在 Java 中转义 html

Since you are sending HTML back to the consumer I would go with escapeHtml.

由于您将 HTML 发送回消费者，因此我会使用escapeHtml.

escapeXmlonly supports escaping the five basic XML entities (gt, lt, quot, amp, apos) whereas escapeHtmlsupports escaping all known HTML 4.0 entities.

escapeXml仅支持转义五个基本 XML 实体（gt、lt、quot、amp、apos），而escapeHtml支持转义所有已知的HTML 4.0 实体。

Assuming you're referring to commons StringEscapeUtils, escapeXmlonly deals with <>"'&while escapeHtmlcovers a richer set of characters.

假设您指的是 commons StringEscapeUtils，escapeXml仅处理<>"'&而escapeHtml涵盖更丰富的字符集。