How to escape double quotes in JSTL function / EL?

I need to change " to \" with JSTL replace function to use the string in input tag like:

<input type="hidden" name="text" size="40" value="${text}">

If the ${text} has the ", the HTML will be broken.

So I tried

<input type="hidden" name="text" size="40" value="${fn:replace(text, "\"", "\\\""}">

and

开发者_StackOverflow中文版<input type="hidden" name="text" size="40" value="${fn:replace(text, '"', '\"'}">

but didn't worked. The page makes errors like

org.apache.el.parser.ParseException: Encountered " "}" "} "" at line 1, column 32. Was expecting one of: "." ... ")" ... "[" ... "," ... ">" ... "gt" ... "<" ... "lt" ... ">=" ... "ge" ... "<=" ... "le" ... "==" ... "eq" ... "!=" ... "ne" ... "&&" ... "and" ... "||" ... "or" ... "*" ... "+" ... "-" ... "/" ... "div" ... "%" ... "mod" ...

How can I do this?

Update

I missed a close paren of replace function. The right one was this one with a close paren:

<input type="hidden" name="text" size="40" value="${fn:replace(text, '"', '\"')}">

Update2

I found out that when posting texts, using \ is not a good idea because of this reason why can't use \" in HTML input tag?. The code should be like this:

<input type="hidden" name="text" size="40" value="${fn:replace(text, '"', '&quot;')}">

---

It doesn't work because the \ is an escape character in Java string. To represent it literally, you need to escape it with another \ again. Also the " is a special character in EL, you also need to escape it to represent it literally. So, the proper syntax would have been:

<input type="hidden" name="text" size="40" value="${fn:replace(text, '\"', '\\\"')}">

But, you should actually be using fn:escapeXml() to prevent XSS. It not only escapes quotes, but also other characters.

<input type="hidden" name="text" size="40" value="${fn:escapeXml(text)}">

###See also:

• XSS prevention in JSP/Servlet web application

---

You are doing it wrong (with fn:replace).

The correct way is:

<input type="hidden" name="text" size="40" value="<c:out value='${text}'/>">
(actually tested code - works 100%)

Edit: Upon more thinking:

• the way by using fn:escapeXml (as written by BalusC) works too and looks nicer (no nested tags)
• using fn:replace to mimick fn:escapeXml is asking for trouble. You will forget to include some character that should be escaped. Just use the existing, tried and tested fn:escapeXml (or c:out)

---

You may have a typo: I don't see a closing paren in there. Try this:

${fn:replace(news.title, "\"", "\\\"")}

Also, are you trying to OUTPUT the results or are you trying to update news.title so the next time you access news.title the replacement is in place? This will work to output the result, but not to replace the actual value: news.title will not be changed by this call.