Package io.github.rabinarayanpatra.sanitizer.builtin

Class HtmlEscapeSanitizer

java.lang.Object

io.github.rabinarayanpatra.sanitizer.builtin.HtmlEscapeSanitizer

All Implemented Interfaces:

FieldSanitizer<String>

public class HtmlEscapeSanitizer
extends Object
implements FieldSanitizer<String>

Sanitizer that escapes basic HTML special characters in rendered output.

This sanitizer replaces characters like <, >, &, ", and ' with their corresponding HTML entities. It is intended for simple HTML-escaping in contexts like log output or pre-escaped text rendering.

Security note: This sanitizer performs basic character escaping only. It does not handle Unicode escapes, null bytes, or double-encoding attacks. It is a formatting utility, not a security control. For XSS prevention, use a dedicated library such as OWASP Java HTML Sanitizer.

 String input = "<script>alert('xss')</script>";
 String escaped = new HtmlEscapeSanitizer().sanitize(input);
 // "&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;"
 

Since:

1.0.0

See Also:

• FieldSanitizer

Constructor Summary

Constructors

Constructor	Description
HtmlEscapeSanitizer()	Default constructor.

Method Summary

Modifier and Type	Method	Description
@Nullable String	sanitize(@Nullable String in)	Escapes HTML special characters in the input string.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

HtmlEscapeSanitizer

public HtmlEscapeSanitizer()

Default constructor.

Method Details

sanitize

public @Nullable String sanitize(@Nullable String in)

Escapes HTML special characters in the input string.

Specified by:

sanitize in interface FieldSanitizer<String>

Parameters:

in - the string to sanitize

Returns:

the escaped string, or null if input is null