Log In | Users | Register
spacer
Edit | Attach | New | Raw | Delete | History | Diff | Print | Pdf | Subscribe | Tools
You are here: TWiki » Macros » VarENCODE

ENCODE{"string"} -- encodes a string to HTML entities

  • Encode "special" characters to HTML numeric entities. Encoded characters are:
    • all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
    • HTML special characters "<", ">", "&", single quote (') and double quote (")
    • TML special characters "%", "[", "]", "@", "_", "*", "=" and "|"
  • Syntax: %ENCODE{"string"}%
  • Supported parameters:
    Parameter: Description: Default:
    "string" String to encode required (can be empty)
    type="entity"
    type="safe"
    type="html"
    type="quotes"
    type="url"
    Control how special characters are encoded
    entity: Encode special characters into HTML entities, like a double quote into &#034;. Does not encode \n or \r.
    safe: Encode characters '"<>% into HTML entities.
    html: As type="entity" except it also encodes \n and \r
    quotes: Escape double quotes with backslashes (\"), does not change other characters
    url: Encode special characters for URL parameter use, like a double quote into %22 (this is the default)
    type="url"
  • Example: %ENCODE{"spaced name"}% expands to spaced%20name
  • ALERT! Values of HTML input fields must be entity encoded.
    Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
  • ALERT! Double quotes in strings must be escaped when passed into other macros.
    Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
  • ALERT! ENCODE can be used to filter user input from URL parameters and similer to protect against cross-site scripting. The safest approach is to use type="entity". This can however prevent an application from fully working. You can then use type="safe" which encodes only the characters '"<>% into HTML entities (same as encode="safe"). When ENCODE is passing a string inside another macro always use double quotes ("") type="quote". For maximum security against cross-site scripting you are adviced to install the Foswiki:Extensions.SafeWikiPlugin.

DBCachePlugin: VarENCODE not found
spacer
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki? Send feedback
Syndicate this site RSS ATOM