Certain characters are special in HTML pages and must be encoded if you want to display them literally. Because database content often contains these characters, scripts that include query results in web pages should encode those results to prevent browsers from misinterpreting the information.
Use the methods that are provided by your API for performing HTML-encoding and URL-encoding.
HTML is a markup language—it uses certain characters as markers
that have a special meaning. To include literal instances of these
characters in a page, you must encode them so that they are not
interpreted as having their special meanings. For example,
< should be encoded as
< to keep a browser from interpreting it as
the beginning of a tag. Furthermore, there are actually two kinds of
encoding, depending on the context in which you use a character. One
encoding is appropriate for general HTML text, another is used for
text that is part of a URL in a hyperlink.
The MySQL show-tables scripts shown in Recipe 16.3 and Recipe 16.4 are simple
demonstrations of how to produce web pages using programs. But with
one exception, the scripts have a common failing: they take no care
to properly encode special characters that occur in the information
retrieved from the MySQL server. (The exception is the JSP version of
the script; the
<c:out> tag used there
handles encoding automatically, as we’ll discuss
As it happens, I deliberately ...