commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yasser Zamani <>
Subject [lang] Question with the StringEscapeUtils.(un)escapeEcmaScript
Date Sat, 25 Feb 2017 08:38:04 GMT
Hi there,

I just wonder why `StringEscapeUtils.escapeEcmaScript` also includes 
`JavaUnicodeEscaper`? is it it's business really? the problem is when we 
use it to prevent script injection by user, it also replaces user 
input's unicodes with "\u"s which is not deducted with 
`escapeEcmaScript' term.

Another thing is, it replaces e.g. '<' with '&lt;' (html/xml escape) but 
replace unicode with '\u....' rather than '&#'?

And finally just for a curious, why `ESCAPE_ECMASCRIPT` does not include 
`OctalUnescaper` but `UNESCAPE_ECMASCRIPT = UNESCAPE_JAVA` does?

Thanks in advance!

This email has been checked for viruses by Avast antivirus software.

View raw message