It's not uncommon to see web pages with text showing incorrectly as "blah" instead of "blah". (A simple search for the text '"' will return numerous examples of such errors.)
This is caused by overzealous escaping of special characters. The ampersand character '&', in particular, is doubly special: it is both a special character, and forms part of the escape mechanism itself, as in '>' and '"'.
If text containing any special character is escaped twice, then the above mentioned problem occurs. A simple example shows why :
- original form: "blah" (including quotes)
- escape once to form: "blah" (still renders as "blah")
- escape a second time to form: &quot;blah&quot; (renders as "blah"). Note the doubly escaped ampersand.
- first escaping when storing the original user input into the database
- escaping a second time when rendering the same item in the presentation layer, using a tool such as <c:out> in JSTL