How to escape apostrophe or quotes on a JSP (used by JavaScript)

I have a user form. If the user types in a string with ' or " as part of it I have no problem. The form is submitted and saved correctly to the database. My problem is when I reload the page (all entries can be modified and are loaded into a list in the JSP before being displayed). On loading the page I get an error saying:

missing ) after argument list 'Caroline's message', \n

What do I need to do to escape this string for displaying it on the frontend?

Here is the code I am using on the frontend to read in the data and store it in a JavaScript object. I am not fully sure where I need to escape. The field causing the problem is c.getComName:

communications[<%=i%>][1] = new CommObject('<%=c.getComId()%>', '<%=c.getComName()%>');


communications[0][1] = new CommObject('101', 'Caroline's Message');



Use the Apache StringEscapeUtils.escapeJavaScript function.

Escapes the characters in a String using JavaScript String rules.

Escapes any values it finds into their JavaScript String form.
Deals correctly with quotes and control-chars (tab, backslash, cr, ff, etc.)

So a tab becomes the characters '\\' and 't'.

I prefer to avoid scriptlets in the middle of my page and was having to use them (increasingly often) to escape strings when used in JavaScript code. I wanted an Expression Language (EL) way of escaping the strings. I created a very small custom taglib that I use for just this purpose:

package com.mycom.taglibs;

import org.apache.commons.lang.StringEscapeUtils;

public class Utilities {
    public static String escapeJS(String value) {
        return StringEscapeUtils.escapeJavaScript(value);


<?xml version="1.0" encoding="UTF-8" ?>
<taglib xmlns=""

  <description>My Tag Library</description>
  <display-name>Tag Utils</display-name>

        JavaScript Escape function
    <function-signature>java.lang.String escapeJS(java.lang.String)</function-signature>

And, in the JSP page:

<%@ taglib prefix="myt" uri="/WEB-INF/mytaglib.tld" %>
The escaped string is: ${myt:escapeJS(variableHoldingTheString)}

fn:escapeXml does not work in JavaScript. It replaces ' with #&0039; still causing an error when the JavaScript is executed.

Only escaping in the JavaScript manner is correct: \'

The Apache StringEscapeUtils.escapeJavaScript function does this for you. Creating a taglib for it greatly simplifies matters.


Also we have very nice solution from Spring:

<%@ taglib prefix="spring" uri="" %>

<spring:message code="${propertyName}" javaScriptEscape="true"/>

So, issue from the question of this post can be resolved in this way:

communications[<%=i%>][1] = new CommObject('<spring:message code="${c.comId}" javaScriptEscape="true"/>', '<spring:message code="${c.comName}" javaScriptEscape="true"/> <%=c.getComName()%>');


You can use the JSTL escape function fn:escapeXml() to get rid of anomalies caused due to single quotes(`). The following example demonstrates the difference.

For example:

<c:set var="string1" value="This is abc's first String."/>
<c:set var="string2" value="This is abc's second String."/>

<p>With escapeXml() Function:</p>
<p>string (1): ${fn:escapeXml(string1)}</p>

<p>Without escapeXml() Function:</p>
<p>string (2): ${fn:escapeXml(string2)}</p>


string (1): This is abc s first String.

string (2): This is abc's second String.


That's strange.

What about:


If that works, you just have to figure out how to add the \".


You could use JSP core tags:

<%@ taglib uri="" prefix="c"%>      
var jsVar = "<c:out value='${stringVariable}' />";

When you return the HTML from the CommObject class add in the \" instead of the ' and before the name (e.g. Caroline's message)

Like this: return "\"" + comName + "\"";


Recent Questions

Top Questions

Home Tags Terms of Service Privacy Policy DMCA Contact Us

©2020 All rights reserved.