Difference: VarENCODE (1 vs. 9)

Revision 92015-06-18 - TWikiContributor

Line: 1 to 1
 
META TOPICPARENT name="TWikiVariables"

ENCODE{string} -- encode a string to URL entities, HTML entities, CSV format, and more

Line: 18 to 18
 
type="entity" Encode special characters into HTML entities, like a double quote into ". Does not encode newline (\n) or linefeed (\r). type="url"
type="entity"
extra=" $n$r"
For type="entity" only, use the extra parameter to encode additional characters to HTML numeric entities. Formatting tokens can be used, such as "$n" for newline. Note that type="entity" extra=" $n$r" is equivalent to type="html". type="url"
extra=""
type="html" Encode special characters into HTML entities. In addition to type="entity", it also encodes space, \n and \r. Useful to encode text properly in HTML input fields. See equivalent ENTITY. type="url"
Added:
>
>
type="json" Escape double quotes and backslashes with backslashes (\" and \\, respectively), escape non-printable characters with hex code \u0000 ... \u001F, does not change other characters. Use this to properly escape text for a JSON string. Example result: This is a string with \"quoted\" and \\backslashed\\ text. type="url"
 
type="csv" Escape single quotes and double quotes by repeating them, other characters do not change. Use this to properly escape fields in CSV reports that output comma-separated values, such as "field 1","field 2 with ''single'' and ""double"" quotes". type="url"
newline="..." Replace a newline with the specified value before encoding.
Please note that newline="<br/>" does not bring <br/> to the output because < and > are encoded (except with the quotes and csv types). To have <br/> in the output, you need to specify newline="$br". However, newline="$br" does not work in combination with type="url" (the defautl type). This shouldn't be a problem because it's very rare to need to have <br/> encoded in a URL.
In addition to $br, $n has a special meaning in a newline parameter value - $n results in a newline in the output.
This parameter is expected to be used in combination with the moderate, safe, entity, or html type. With the other types, it causes unuseful results.
 
  • Examples:

Revision 82014-04-16 - TWikiContributor

Line: 1 to 1
 
META TOPICPARENT name="TWikiVariables"
Changed:
<
<

ENCODE{string} -- encode a string to URL or HTML entities

  • Encode "special" characters to HTML numeric entities or to URL entities.
>
>

ENCODE{string} -- encode a string to URL entities, HTML entities, CSV format, and more

  • Encode "special" characters in a string to HTML numeric entities, URL entities. Also escapes special characters for CSV use and more.
 
  • Encoded characters:
    • all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
    • HTML special characters "<", ">", "&", single quote (') and double quote (")
Line: 18 to 18
 
type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode newline (\n) or linefeed (\r). type="url"
type="entity"
extra=" $n$r"
For type="entity" only, use the extra parameter to encode additional characters to HTML numeric entities. Formatting tokens can be used, such as "$n" for newline. Note that type="entity" extra=" $n$r" is equivalent to type="html". type="url"
extra=""
type="html" Encode special characters into HTML entities. In addition to type="entity", it also encodes space, \n and \r. Useful to encode text properly in HTML input fields. See equivalent ENTITY. type="url"
Added:
>
>
type="csv" Escape single quotes and double quotes by repeating them, other characters do not change. Use this to properly escape fields in CSV reports that output comma-separated values, such as "field 1","field 2 with ''single'' and ""double"" quotes". type="url"
newline="..." Replace a newline with the specified value before encoding.
Please note that newline="<br/>" does not bring <br/> to the output because < and > are encoded (except with the quotes and csv types). To have <br/> in the output, you need to specify newline="$br". However, newline="$br" does not work in combination with type="url" (the defautl type). This shouldn't be a problem because it's very rare to need to have <br/> encoded in a URL.
In addition to $br, $n has a special meaning in a newline parameter value - $n results in a newline in the output.
This parameter is expected to be used in combination with the moderate, safe, entity, or html type. With the other types, it causes unuseful results.
 
 
  • Examples:
    • %ENCODE{"spaced name"}% expands to spaced%20name
    • %ENCODE{"spaced name" type="entity" extra=" "}% expands to spaced&#32;name

Revision 72012-11-12 - TWikiContributor

Line: 1 to 1
 
META TOPICPARENT name="TWikiVariables"
Changed:
<
<

ENCODE{"string"} -- encodes a string to HTML entities

  • Encode "special" characters to HTML numeric entities. Encoded characters are:
>
>

ENCODE{string} -- encode a string to URL or HTML entities

  • Encode "special" characters to HTML numeric entities or to URL entities.
  • Encoded characters:
 
    • all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
    • HTML special characters "<", ">", "&", single quote (') and double quote (")
    • TWiki special characters "%", "[", "]", "@", "_", "*", "=" and "|"
Line: 15 to 16
 
type="moderate" Encode special characters into HTML entities for moderate cross-site scripting protection: "<", ">", single quote (') and double quote (") are encoded. Useful to allow TWiki variables in comment boxes. type="url"
type="safe" Encode special characters into HTML entities for cross-site scripting protection: "<", ">", "%", single quote (') and double quote (") are encoded. type="url"
type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode newline (\n) or linefeed (\r). type="url"
Changed:
<
<
type="html" Encode special characters into HTML entities. In addition to type="entity", it also encodes space, \n and \r. Useful to encode text properly in HTML input fields. type="url"
  • Example: %ENCODE{"spaced name"}% expands to spaced%20name
  • ALERT! Notes:
    • Values of HTML input fields should encoded as "html".
      Example: <input type="text" name="address" value="%ENCODE{ "any text" type="html" }%" />
>
>
type="entity"
extra=" $n$r"
For type="entity" only, use the extra parameter to encode additional characters to HTML numeric entities. Formatting tokens can be used, such as "$n" for newline. Note that type="entity" extra=" $n$r" is equivalent to type="html". type="url"
extra=""
type="html" Encode special characters into HTML entities. In addition to type="entity", it also encodes space, \n and \r. Useful to encode text properly in HTML input fields. See equivalent ENTITY. type="url"
  • Examples:
    • %ENCODE{"spaced name"}% expands to spaced%20name
    • %ENCODE{"spaced name" type="entity" extra=" "}% expands to spaced&#32;name
  • Notes:
    • Values of HTML input fields should be encoded as "html". A shorter %ENTITY{any text}% can be used instead of the more verbose %ENCODE{ "any text" type="html" }%.
      Example: <input type="text" name="address" value="%ENTITY{any text}%" />
 
    • Double quotes in strings must be escaped when passed into other TWiki variables.
      Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
Changed:
<
<
    • Use type="moderate", type="safe" or type="entity" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.

>
>

Revision 62011-06-14 - TWikiContributor

Line: 1 to 1
 
META TOPICPARENT name="TWikiVariables"

ENCODE{"string"} -- encodes a string to HTML entities

Line: 14 to 14
 
type="quotes" Escape double quotes with backslashes (\"), does not change other characters. This type does not protect against cross-site scripting. type="url"
type="moderate" Encode special characters into HTML entities for moderate cross-site scripting protection: "<", ">", single quote (') and double quote (") are encoded. Useful to allow TWiki variables in comment boxes. type="url"
type="safe" Encode special characters into HTML entities for cross-site scripting protection: "<", ">", "%", single quote (') and double quote (") are encoded. type="url"
Changed:
<
<
type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode newline (\n) or linefeed (\r). Useful to encode text properly in HTML input fields. type="url"
type="html" As type="entity" except it also encodes \n and \r type="url"
>
>
type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode newline (\n) or linefeed (\r). type="url"
type="html" Encode special characters into HTML entities. In addition to type="entity", it also encodes space, \n and \r. Useful to encode text properly in HTML input fields. type="url"
 
  • Example: %ENCODE{"spaced name"}% expands to spaced%20name
  • ALERT! Notes:
Changed:
<
<
    • Values of HTML input fields must be entity encoded.
      Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
>
>
    • Values of HTML input fields should encoded as "html".
      Example: <input type="text" name="address" value="%ENCODE{ "any text" type="html" }%" />
 
    • Double quotes in strings must be escaped when passed into other TWiki variables.
      Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
    • Use type="moderate", type="safe" or type="entity" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.
Changed:
<
<
>
>

Revision 52010-03-07 - TWikiContributor

Line: 1 to 1
 
META TOPICPARENT name="TWikiVariables"

ENCODE{"string"} -- encodes a string to HTML entities

Line: 10 to 10
 
Deleted:
<
<
type="safe" Encode special characters into HTML entities to avoid XSS exploits: "<", ">", "%", single quote (') and double quote (") type="url"
type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode \n or \r. type="url"
type="html" As type="entity" except it also encodes \n and \r type="url"
type="quotes" Escape double quotes with backslashes (\"), does not change other characters type="url"
 
type="url" Encode special characters for URL parameter use, like a double quote into %22 (this is the default)
Added:
>
>
type="quotes" Escape double quotes with backslashes (\"), does not change other characters. This type does not protect against cross-site scripting. type="url"
type="moderate" Encode special characters into HTML entities for moderate cross-site scripting protection: "<", ">", single quote (') and double quote (") are encoded. Useful to allow TWiki variables in comment boxes. type="url"
type="safe" Encode special characters into HTML entities for cross-site scripting protection: "<", ">", "%", single quote (') and double quote (") are encoded. type="url"
type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode newline (\n) or linefeed (\r). Useful to encode text properly in HTML input fields. type="url"
type="html" As type="entity" except it also encodes \n and \r type="url"
 
  • Example: %ENCODE{"spaced name"}% expands to spaced%20name
  • ALERT! Notes:
    • Values of HTML input fields must be entity encoded.
      Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
    • Double quotes in strings must be escaped when passed into other TWiki variables.
      Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
Changed:
<
<
    • Use type="entity" or type="safe" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is more aggressive, but some TWiki applications might not work. type="safe" provides a safe middle ground.
>
>
    • Use type="moderate", type="safe" or type="entity" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.
 

Revision 42009-02-23 - TWikiContributor

Line: 1 to 1
 
META TOPICPARENT name="TWikiVariables"

ENCODE{"string"} -- encodes a string to HTML entities

Line: 10 to 10
 
Added:
>
>
type="safe" Encode special characters into HTML entities to avoid XSS exploits: "<", ">", "%", single quote (') and double quote (") type="url"
 
type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode \n or \r. type="url"
type="html" As type="entity" except it also encodes \n and \r type="url"
type="quotes" Escape double quotes with backslashes (\"), does not change other characters type="url"
type="url" Encode special characters for URL parameter use, like a double quote into %22 (this is the default)
  • Example: %ENCODE{"spaced name"}% expands to spaced%20name
Changed:
<
<
  • ALERT! Note: Values of HTML input fields must be entity encoded.
    Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
  • ALERT! Note: Double quotes in strings must be escaped when passed into other TWiki variables.
    Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
>
>
  • ALERT! Notes:
    • Values of HTML input fields must be entity encoded.
      Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
    • Double quotes in strings must be escaped when passed into other TWiki variables.
      Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
    • Use type="entity" or type="safe" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is more aggressive, but some TWiki applications might not work. type="safe" provides a safe middle ground.
 
Deleted:
<
<

Revision 32007-01-04 - TWikiContributor

Line: 1 to 1
 
META TOPICPARENT name="TWikiVariables"
Deleted:
<
<
 

ENCODE{"string"} -- encodes a string to HTML entities

  • Encode "special" characters to HTML numeric entities. Encoded characters are:
    • all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
Line: 13 to 12
 
"string" String to encode required (can be empty)
type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode \n or \r. type="url"
type="html" As type="entity" except it also encodes \n and \r type="url"
Changed:
<
<
type="quote" Escape double quotes with backslashes (\"), does not change other characters type="url"
>
>
type="quotes" Escape double quotes with backslashes (\"), does not change other characters type="url"
 
type="url" Encode special characters for URL parameter use, like a double quote into %22 (this is the default)
  • Example: %ENCODE{"spaced name"}% expands to spaced%20name
  • ALERT! Note: Values of HTML input fields must be entity encoded.
    Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
  • ALERT! Note: Double quotes in strings must be escaped when passed into other TWiki variables.
    Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
Changed:
<
<
>
>
 

Revision 22007-01-04 - TWikiContributor

Line: 1 to 1
 
META TOPICPARENT name="TWikiVariables"
Line: 11 to 11
 
Changed:
<
<
type="entity" Encode special characters into HTML entities, like a double quote into &#034; URL encoding
>
>
type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode \n or \r. type="url"
type="html" As type="entity" except it also encodes \n and \r type="url"
type="quote" Escape double quotes with backslashes (\"), does not change other characters type="url"
 
type="url" Encode special characters for URL parameter use, like a double quote into %22 (this is the default)
  • Example: %ENCODE{"spaced name"}% expands to spaced%20name
Changed:
<
<
  • ALERT! Note: Values of HTML input fields must be entity encoded, for example:
    <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
>
>
  • ALERT! Note: Values of HTML input fields must be entity encoded.
    Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
  • ALERT! Note: Double quotes in strings must be escaped when passed into other TWiki variables.
    Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
 

Revision 12005-03-27 - TWikiContributor

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="TWikiVariables"

ENCODE{"string"} -- encodes a string to HTML entities

  • Encode "special" characters to HTML numeric entities. Encoded characters are:
    • all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
    • HTML special characters "<", ">", "&", single quote (') and double quote (")
    • TWiki special characters "%", "[", "]", "@", "_", "*", "=" and "|"
  • Syntax: %ENCODE{"string"}%
  • Supported parameters:
    Parameter: Description: Default:
    "string" String to encode required (can be empty)
    type="entity" Encode special characters into HTML entities, like a double quote into &#034; URL encoding
    type="url" Encode special characters for URL parameter use, like a double quote into %22 (this is the default)
  • Example: %ENCODE{"spaced name"}% expands to spaced%20name
  • ALERT! Note: Values of HTML input fields must be entity encoded, for example:
    <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
  • Related: URLPARAM
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 1999-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
Note: Please contribute updates to this topic on TWiki.org at TWiki:TWiki.VarENCODE.