|
META TOPICPARENT |
name="TWikiVariables" |
ENCODE{"string"} -- encodes a string to HTML entities
- Encode "special" characters to HTML numeric entities. Encoded characters are:
- all non-printable ASCII characters below space, except newline (
"\n" ) and linefeed ("\r" )
- HTML special characters
"<" , ">" , "&" , single quote (' ) and double quote (" )
- TWiki special characters
"%" , "[" , "]" , "@" , "_" , "*" , "=" and "|"
- Syntax:
%ENCODE{"string"}%
- Supported parameters:
|
|
> > |
type="safe" |
Encode special characters into HTML entities to avoid XSS exploits: "<" , ">" , "%" , single quote (' ) and double quote (" ) |
type="url" |
|
|
type="entity" |
Encode special characters into HTML entities, like a double quote into " . Does not encode \n or \r . |
type="url" |
type="html" |
As type="entity" except it also encodes \n and \r |
type="url" |
type="quotes" |
Escape double quotes with backslashes (\" ), does not change other characters |
type="url" |
type="url" |
Encode special characters for URL parameter use, like a double quote into %22 |
(this is the default) |
- Example:
%ENCODE{"spaced name"}% expands to spaced%20name
|
|
< < |
-
Note: Values of HTML input fields must be entity encoded. Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
-
Note: Double quotes in strings must be escaped when passed into other TWiki variables. Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
|
> > |
-
Notes:
- Values of HTML input fields must be entity encoded.
Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
|
|
> > |
-
- Double quotes in strings must be escaped when passed into other TWiki variables.
Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
- Use
type="entity" or type="safe" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is more aggressive, but some TWiki applications might not work. type="safe" provides a safe middle ground.
|
| |
|
< < | |
| |