Class HtmlUtil

java.lang.Object
cloud.opencode.base.string.escape.HtmlUtil
public final class HtmlUtil extends Object
HTML Escape Utility - Provides HTML string escaping methods. HTML转义工具 - 提供HTML字符串转义方法。

Features | 主要功能:

  • HTML entity escaping (&, <, >, ", ') - HTML实体转义
  • HTML entity unescaping - HTML实体反转义

Usage Examples | 使用示例:

String escaped = HtmlUtil.escape("<script>alert('xss')</script>");
// "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;"

String unescaped = HtmlUtil.unescape("&lt;b&gt;bold&lt;/b&gt;");
// "<b>bold</b>"

Security | 安全性:

  • Thread-safe: Yes (stateless utility) - 线程安全: 是(无状态工具类)
  • Null-safe: Yes - 空值安全: 是

Performance | 性能特性:

  • Time complexity: O(n) where n is the string length - 时间复杂度: O(n),n为字符串长度
  • Space complexity: O(n) for the output string - 空间复杂度: O(n),存储输出字符串
Since:
JDK 25, opencode-base-string V1.0.0
Author:
Leon Soo www.LeonSoo.com
See Also:

  • Method Details

    • escape

      public static String escape(String str)

    • escapeStrict

      public static String escapeStrict(String str)
      Strict HTML escape: same as escape(String) plus encoding the forward slash / as &#x2F;. Implements the OWASP XSS Cheat Sheet recommendation for HTML body context, where encoding / prevents user content from materialising a closing </script> / </style> sequence and breaking out of the surrounding script or style block. 严格 HTML 转义:在 escape(String) 基础上额外将正斜杠 / 编码为 &#x2F;。实现 OWASP XSS Cheat Sheet 在 HTML body 上下文下的 推荐做法 — 编码 / 可阻止用户内容形成闭合 </script> / </style> 序列从而突破当前脚本/样式块。
      Parameters:
      str - input string, may be null | 输入字符串,可为 null
      Returns:
      strictly-escaped string, or null if input is null
      Since:
      opencode-base-string V1.0.4

    • unescape

      public static String unescape(String str)