Java Practices->Beware of doubly escaped ampersands

Beware of doubly escaped ampersands

It's not uncommon to see web pages with text showing incorrectly as "blah" instead of "blah". (A simple search for the text '"' will return numerous examples of such errors.)

This is caused by overzealous escaping of special characters. The ampersand character '&', in particular, is doubly special: it is both a special character, and forms part of the escape mechanism itself, as in '>' and '"'.

If text containing any special character is escaped twice, then the above mentioned problem occurs. A simple example shows why:

original form: "blah" (including quotes)
escape once to form: "blah" (still renders as "blah")
escape a second time to form: &quot;blah&quot; (renders as "blah"). Note the doubly escaped ampersand.

The most common cause of such double escaping occurs by:

first escaping when storing the original user input into the database
escaping a second time when rendering the same item in the presentation layer, using a tool such as <c:out> in JSTL

Since the escaping is related to HTML - that is, to the presentation layer - it's recommended that the database not store data in its escaped form.