NOTE: This is a DistributionDocument. Please help maintain high quality documentation: This is a wiki, please fix the documentation if you find errors or incomplete content. Put questions and suggestions concerning the documentation of this topic in the comments section below. Use the Support web for problems you are having using TWiki.
ENCODE{"string"} -- encodes a string to HTML entities
- Encode "special" characters to HTML numeric entities. Encoded characters are:
- all non-printable ASCII characters below space, except newline (
"\n") and linefeed ("\r") - HTML special characters
"<",">","&", single quote (') and double quote (") - TWiki special characters
"%","[","]","@","_","*","="and"|"
- all non-printable ASCII characters below space, except newline (
- Syntax:
%ENCODE{"string"}% - Supported parameters:
Parameter: Description: Default: "string"String to encode required (can be empty) type="url"Encode special characters for URL parameter use, like a double quote into %22(this is the default) type="quotes"Escape double quotes with backslashes ( \"), does not change other characters. This type does not protect against cross-site scripting.type="url"type="moderate"Encode special characters into HTML entities for moderate cross-site scripting protection: "<",">", single quote (') and double quote (") are encoded. Useful to allow TWiki variables in comment boxes.type="url"type="safe"Encode special characters into HTML entities for cross-site scripting protection: "<",">","%", single quote (') and double quote (") are encoded.type="url"type="entity"Encode special characters into HTML entities, like a double quote into ". Does not encode newline (\n) or linefeed (\r). Useful to encode text properly in HTML input fields.type="url"type="html"As type="entity"except it also encodes\nand\rtype="url" - Example:
%ENCODE{"spaced name"}%expands tospaced%20name - Notes:
- Values of HTML input fields must be entity encoded.
Example:<input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" /> - Double quotes in strings must be escaped when passed into other TWiki variables.
Example:%SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }% - Use
type="moderate",type="safe"ortype="entity"to protect user input from URL parameters and external sources against cross-site scripting (XSS).type="entity"is the safest mode, but some TWiki applications might not work.type="safe"provides a safe middle ground,type="moderate"provides only moderate cross-site scripting protection.
- Values of HTML input fields must be entity encoded.
- Related: URLPARAM
Comments & Questions about this Distribution Document Topic
I've a very simple patch that ads a new type, newlines, that transforms \r into HTML BR. Is this something interesting to be submited? -- JoseVenceslau - 08 Oct 2008 Yes, please create a FeatureRequest. -- PeterThoeny - 08 Oct 2008 Done, in VarENCODETransformNewlineIntoHTML -- JoseVenceslau - 09 Oct 2008
Topic revision: r6 - 2010-03-07 - PeterThoeny
Home 
Site map
Blog web
User registration
Users
Groups
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2012 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.