Difference: VarENCODE (3 vs. 4)

Revision 42009-02-23 - TWikiContributor

 
META TOPICPARENT name="TWikiVariables"

ENCODE{"string"} -- encodes a string to HTML entities

  • Encode "special" characters to HTML numeric entities. Encoded characters are:
    • all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
    • HTML special characters "<", ">", "&", single quote (') and double quote (")
    • TWiki special characters "%", "[", "]", "@", "_", "*", "=" and "|"
  • Syntax: %ENCODE{"string"}%
  • Supported parameters:
    Parameter: Description: Default:
    "string" String to encode required (can be empty)
Added:
>
>
type="safe" Encode special characters into HTML entities to avoid XSS exploits: "<", ">", "%", single quote (') and double quote (") type="url"
 
type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode \n or \r. type="url"
type="html" As type="entity" except it also encodes \n and \r type="url"
type="quotes" Escape double quotes with backslashes (\"), does not change other characters type="url"
type="url" Encode special characters for URL parameter use, like a double quote into %22 (this is the default)
  • Example: %ENCODE{"spaced name"}% expands to spaced%20name
Changed:
<
<
  • ALERT! Note: Values of HTML input fields must be entity encoded.
    Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
  • ALERT! Note: Double quotes in strings must be escaped when passed into other TWiki variables.
    Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
>
>
  • ALERT! Notes:
    • Values of HTML input fields must be entity encoded.
      Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
Added:
>
>
    • Double quotes in strings must be escaped when passed into other TWiki variables.
      Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
    • Use type="entity" or type="safe" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is more aggressive, but some TWiki applications might not work. type="safe" provides a safe middle ground.
 
Deleted:
<
<
 
View topic | History: r10 < r9 < r8 < r7 | More topic actions...
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
Note: Please contribute updates to this topic on TWiki.org at TWiki:TWiki.VarENCODE.