It is not uncommon to see web pages with text showing incorrectly as "blah" instead of "blah". ( A simple search for the text '"' will return numerous examples of such errors.)

This is caused by overzealous escaping of special characters. The ampersand character '&', in particular, is doubly special: it is both a special character, and forms part of the escape mechanism itself, as in '>' and '"'.

If text containing any special character is escaped twice, then the above mentioned problem occurs. A simple example shows why :

• original form : "blah" (including quotes)
• escape once to form : "blah" (still renders as "blah")
• escape a second time to form :  "blah" (renders as "blah"). Note the doubly escaped ampersand.

The most common cause of such double escaping occurs by :

• first escaping when storing the original user input into the database
• escaping a second time when rendering the same item in the presentation layer, using a tool such as <c:out> in JSTL

Since the escaping is related to HTML - that is, to the presentation layer - it is recommended that the escaping be performed only in the presentation layer itself, and not in the database.

Escape special characters
Beware of common hacks

Yes   No   Undecided