Package com.oorian.security

Class InputSanitizer

java.lang.Object

com.oorian.security.InputSanitizer

public class InputSanitizer
extends Object

Utility class for sanitizing user input to prevent injection attacks.

InputSanitizer provides methods for escaping and cleaning user-supplied strings before they are used in HTML output, JavaScript contexts, URL parameters, or SQL queries. These methods help prevent XSS, script injection, and other common web application vulnerabilities.

Usage:

 // Escape HTML special characters
 String safe = InputSanitizer.escapeHtml("<script>alert('xss')</script>");
 // Result: "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;"

 // Strip all HTML tags
 String text = InputSanitizer.stripHtml("<b>Hello</b> <script>evil()</script> World");
 // Result: "Hello  World"

 // Escape for JavaScript string context
 String jsStr = InputSanitizer.escapeJavaScript("alert('xss')");
 // Result: "alert(\\u0027xss\\u0027)"
 

Since:

2.1

Version:

1.0

Author:

Marvin P. Warble Jr.

Method Summary

Modifier and Type	Method	Description
static String	encodeUrlParam(String input)	Encodes a string for safe use as a URL parameter value.
static String	escapeHtml(String input)	Escapes HTML special characters to prevent XSS when inserting untrusted data into HTML element content.
static String	escapeJavaScript(String input)	Escapes a string for safe inclusion within a JavaScript string literal.
static String	removeControlChars(String input)	Removes null bytes and other control characters from user input.
static String	stripHtml(String input)	Strips all HTML tags from the input string, leaving only text content.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

escapeHtml

public static String escapeHtml(String input)

Escapes HTML special characters to prevent XSS when inserting untrusted data into HTML element content.

Replaces: & < > " ' with their HTML entity equivalents.

Parameters:

input - the untrusted input string

Returns:

the HTML-escaped string, or null if the input is null

stripHtml

public static String stripHtml(String input)

Strips all HTML tags from the input string, leaving only text content.

This is useful for extracting plain text from HTML-formatted user input. Note that this method does not decode HTML entities.

Parameters:

input - the input string potentially containing HTML

Returns:

the text with all HTML tags removed, or null if the input is null

escapeJavaScript

public static String escapeJavaScript(String input)

Escapes a string for safe inclusion within a JavaScript string literal.

Escapes single quotes, double quotes, backslashes, forward slashes, and control characters using Unicode escape sequences where needed.

Parameters:

input - the untrusted input string

Returns:

the JavaScript-escaped string, or null if the input is null

encodeUrlParam

public static String encodeUrlParam(String input)

Encodes a string for safe use as a URL parameter value.

Uses percent-encoding (RFC 3986) for all characters that are not unreserved (letters, digits, -, _, ., ~).

Parameters:

input - the untrusted input string

Returns:

the URL-encoded string, or null if the input is null

removeControlChars

public static String removeControlChars(String input)

Removes null bytes and other control characters from user input.

Null byte injection can be used to truncate strings in some contexts. This method removes all control characters (U+0000 through U+001F and U+007F) except for tab (U+0009), newline (U+000A), and carriage return (U+000D).

Parameters:

input - the input string

Returns:

the cleaned string, or null if the input is null