Tags:
create new tag
, view all tags
ALERT! NOTE: This is a DistributionDocument. Please help maintain high quality documentation: This is a wiki, please fix the documentation if you find errors or incomplete content. Put questions and suggestions concerning the documentation of this topic in the comments section below. Use the Support web for problems you are having using TWiki.

ENCODE{string} -- encode a string to URL entities, HTML entities, CSV format, and more

  • Encode "special" characters in a string to HTML numeric entities, URL entities. Also escapes special characters for CSV use and more.
  • Encoded characters:
    • all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
    • HTML special characters "<", ">", "&", single quote (') and double quote (")
    • TWiki special characters "%", "[", "]", "@", "_", "*", "=" and "|"
  • Syntax: %ENCODE{"string"}%
  • Supported parameters:
    Parameter: Description: Default:
    "string" String to encode required (can be empty)
    type="url" Encode special characters for URL parameter use, like a double quote into %22 (this is the default)
    type="quotes" Escape double quotes with backslashes (\"), does not change other characters. This type does not protect against cross-site scripting. type="url"
    type="moderate" Encode special characters into HTML entities for moderate cross-site scripting protection: "<", ">", single quote (') and double quote (") are encoded. Useful to allow TWiki variables in comment boxes. type="url"
    type="safe" Encode special characters into HTML entities for cross-site scripting protection: "<", ">", "%", single quote (') and double quote (") are encoded. type="url"
    type="entity" Encode special characters into HTML entities, like a double quote into &#034;. Does not encode newline (\n) or linefeed (\r). type="url"
    type="entity"
    extra=" $n$r"
    For type="entity" only, use the extra parameter to encode additional characters to HTML numeric entities. Formatting tokens can be used, such as "$n" for newline. Note that type="entity" extra=" $n$r" is equivalent to type="html". type="url"
    extra=""
    type="html" Encode special characters into HTML entities. In addition to type="entity", it also encodes space, \n and \r. Useful to encode text properly in HTML input fields. See equivalent ENTITY. type="url"
    type="csv" Escape single quotes and double quotes by repeating them, other characters do not change. Use this to properly escape fields in CSV reports that output comma-separated values, such as "field 1","field 2 with ''single'' and ""double"" quotes". type="url"
    newline="..." Replace a newline with the specified value before encoding.
    Please note that newline="<br/>" does not bring <br/> to the output because < and > are encoded (except with the quotes and csv types). To have <br/> in the output, you need to specify newline="$br". However, newline="$br" does not work in combination with type="url" (the defautl type). This shouldn't be a problem because it's very rare to need to have <br/> encoded in a URL.
    In addition to $br, $n has a special meaning in a newline parameter value - $n results in a newline in the output.
    This parameter is expected to be used in combination with the moderate, safe, entity, or html type. With the other types, it causes unuseful results.
     
  • Examples:
    • %ENCODE{"spaced name"}% expands to spaced%20name
    • %ENCODE{"spaced name" type="entity" extra=" "}% expands to spaced&#32;name
  • Notes:
    • Values of HTML input fields should be encoded as "html". A shorter %ENTITY{any text}% can be used instead of the more verbose %ENCODE{ "any text" type="html" }%.
      Example: <input type="text" name="address" value="%ENTITY{any text}%" />
    • Double quotes in strings must be escaped when passed into other TWiki variables.
      Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
    • Use type="moderate", type="safe", type="entity" or type="html" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="html" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.
  • Category: ApplicationsAndComponentsVariables, DevelopmentVariables, ExportAndPublishingVariables
  • Related: ENTITY, FORMFIELD, QUERYPARAMS, URLPARAM



Comments & Questions about this Distribution Document Topic

I've a very simple patch that ads a new type, newlines, that transforms \r into HTML BR. Is this something interesting to be submited?

-- JoseVenceslau - 08 Oct 2008

Yes, please create a FeatureRequest.

-- PeterThoeny - 08 Oct 2008

Done, in VarENCODETransformNewlineIntoHTML

-- JoseVenceslau - 09 Oct 2008

Please use the Support forum if you have questions about TWiki features. This comment section is about the documentation of this topic.
Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r9 - 2014-12-16 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2016 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.