I am a newbie to openmrs and would like to contribute. I found this  at issue-tracker.
The org.apache.commons.lang.StringEscapeUtils is also a solution for this. But there are some issues which are introduce in  when used this.
OWASP Java Encoder  is recently used widely to prevent XSS attacks. I am implementing it in openmrs at the moment to give it a try. This has worked for in my work so far.
Will it be a problem if I introduce new package in to code?
Any known facts, information and advices are welcome on this.
Rewrite the relevant WebUtil methods to delegate to OWASP’s version
Assuming that the OWASP encoder’s methods have convenient and intuitive method signatures, I would deprecate our WebUtil methods and point to the OWASP versions. But if those methods aren’t intuitive, we can have “easier” versions of them in WebUtil that delegate.
I have sent a PR at  for openmrs-core, introducing contextual encoding methods in WebUtil class, delegating to OWASP encoder.
The PR at  was sent before implementing . If  is ok to be merged, then we can use those methods in code. But as @darius suggested, this is needed only if OWASP encoder’s methods are not that much convenient and intuitive. I think  is a good example using reporting module to elaborate the usage of OWASP Encoder methods in openmrs code.
Based on the above decision, we can move on with OWASP Encoder methods or WebUtil methods to prevent XSS attacks in openmrs.
I have added the OWASP encoder to our codebase. I have introduced new methods in WebUtil  methods to delegate to OWASP’s version. Now anyone can use those methods to encode the variables contextually.
I am wondering whether we have to update the Wiki page. Is  needed to be updated or are there any other suitable place?
I updated the Wiki. Shall we deprecate the method escapeHtml() method in there or we keep it as it is? This method is named as escapeHtml to preserve backward compatibility. But I hope there is no issue of keeping that name. At the same time there may be a slight misunderstanding with the name being different from others while the functionality is delegated to OWASP Encoder same like other “encodeForSomeContext” type methods.