Try recode (archived page; GitHub mirror; Debian page): $ echo ‘<’ |recode html..ascii < Install on Linux and similar Unix-y systems: $ sudo apt-get install recode Install on Mac OS using: $ brew install recode
In Spring you can escape the html from JSP pages generated by <form> tags. This closes off a lot avenues for XSS attacks, and can be done automatically in three ways: For the entire application in the web.xml file: <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> For all forms on a given page in the file itself: <spring:htmlEscape … Read more
< stands for the less-than sign: < > stands for the greater-than sign: > ≤ stands for the less-than or equals sign: ≤ ≥ stands for the greater-than or equals sign: ≥
If you’re inserting text content in your document in a location where text content is expected1, you typically only need to escape the same characters as you would in XML. Inside of an element, this just includes the entity escape ampersand & and the element delimiter less-than and greater-than signs < >: & becomes & < … Read more
EDIT: This answer was posted a long ago, and the htmlDecode function introduced a XSS vulnerability. It has been modified changing the temporary element from a div to a textarea reducing the XSS chance. But nowadays, I would encourage you to use the DOMParser API as suggested in other anwswer. I use these functions: function … Read more