It's not uncommon to see web pages with text showing incorrectly as "blah" instead of "blah". ( A simple search for the text '"' will return numerous examples of such errors.)
This is caused by overzealous escaping of special characters. The ampersand character '&', in particular, is doubly special: it is both a special character, and forms part of the escape mechanism itself, as in '>' and '"'.
If text containing any special character is escaped twice, then the above mentioned problem occurs. A simple example shows why :
- original form : "blah" (including quotes)
- escape once to form : "blah" (still renders as "blah")
- escape a second time to form : &quot;blah&quot; (renders as "blah"). Note the doubly escaped ampersand.
- first escaping when storing the original user input into the database
- escaping a second time when rendering the same item in the presentation layer, using a tool such as <c:out> in JSTL