Difference: VarENCODE (1 vs. 10)

Revision 102018-07-15 - TWikiContributor

Line: 1 to 1

META TOPICPARENT	name="TWikiVariables"

ENCODE{string} -- encode a string to URL entities, HTML entities, CSV format, and more

Line: 20 to 20

`type="html"`	Encode special characters into HTML entities. In addition to `type="entity"`, it also encodes space, `\n` and `\r`. Useful to encode text properly in HTML input fields. See equivalent ENTITY.	`type="url"`
`type="json"`	Escape double quotes and backslashes with backslashes (`\"` and `\\`, respectively), escape non-printable characters with hex code `\u0000` ... `\u001F`, does not change other characters. Use this to properly escape text for a JSON string. Example result: `This is a string with \"quoted\" and \\backslashed\\ text`.	`type="url"`
`type="csv"`	Escape single quotes and double quotes by repeating them, other characters do not change. Use this to properly escape fields in CSV reports that output comma-separated values, such as `"field 1","field 2 with ''single'' and ""double"" quotes"`.	`type="url"`

Added:

>
>

type="search" Special encoding used for SEARCH: Substitute % characters into non-printable characters, so that TWikiVariables are no longer expanded. Also escapes quotes. Used to feed a search string from a URLPARAM into SEARCH without expanding any variables, such as when searching for %BR%. type="url"

newline="..." Replace a newline with the specified value before encoding.
Please note that newline="<br/>" does not bring <br/> to the output because < and > are encoded (except with the quotes and csv types). To have <br/> in the output, you need to specify newline="$br". However, newline="$br" does not work in combination with type="url" (the defautl type). This shouldn't be a problem because it's very rare to need to have <br/> encoded in a URL.
In addition to $br, $n has a special meaning in a newline parameter value - $n results in a newline in the output.
This parameter is expected to be used in combination with the moderate, safe, entity, or html type. With the other types, it causes unuseful results.

Examples:
- %ENCODE{"spaced name"}% expands to spaced%20name
- %ENCODE{"spaced name" type="entity" extra=" "}% expands to spaced name
Notes:
- Values of HTML input fields should be encoded as "html". A shorter %ENTITY{any text}% can be used instead of the more verbose %ENCODE{ "any text" type="html" }%.
  Example: <input type="text" name="address" value="%ENTITY{any text}%" />

Changed:

<
<

- Double quotes in strings must be escaped when passed into other TWiki variables.
  Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%

>
>

- Double quotes in strings must be escaped when passed into other TWiki variables.
  Example: %SET{ "lunch" value="%ENCODE{ "string with "quotes"" type="quotes" }%" remember="1" }%

- Use type="moderate", type="safe", type="entity" or type="html" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="html" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.
Category: ApplicationsAndComponentsVariables, DevelopmentVariables, ExportAndPublishingVariables
Related: ENTITY, FORMFIELD, QUERYPARAMS, URLPARAM

Revision 92015-06-18 - TWikiContributor

Line: 1 to 1

META TOPICPARENT	name="TWikiVariables"

ENCODE{string} -- encode a string to URL entities, HTML entities, CSV format, and more

Line: 18 to 18

`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode newline (`\n`) or linefeed (`\r`).	`type="url"`
`type="entity"` `extra=" $n$r"`	For `type="entity"` only, use the `extra` parameter to encode additional characters to HTML numeric entities. Formatting tokens can be used, such as `"$n"` for newline. Note that `type="entity" extra=" $n$r"` is equivalent to `type="html"`.	`type="url"` `extra=""`
`type="html"`	Encode special characters into HTML entities. In addition to `type="entity"`, it also encodes space, `\n` and `\r`. Useful to encode text properly in HTML input fields. See equivalent ENTITY.	`type="url"`

Added:

>
>

type="json" Escape double quotes and backslashes with backslashes (\" and \\, respectively), escape non-printable characters with hex code \u0000 ... \u001F, does not change other characters. Use this to properly escape text for a JSON string. Example result: This is a string with \"quoted\" and \\backslashed\\ text. type="url"

`type="csv"`	Escape single quotes and double quotes by repeating them, other characters do not change. Use this to properly escape fields in CSV reports that output comma-separated values, such as `"field 1","field 2 with ''single'' and ""double"" quotes"`.	`type="url"`
`newline="..."`	Replace a newline with the specified value before encoding. Please note that `newline="<br/>"` does not bring `<br/>` to the output because `<` and `>` are encoded (except with the `quotes` and `csv` types). To have `<br/>` in the output, you need to specify `newline="$br"`. However, `newline="$br"` does not work in combination with `type="url"` (the defautl type). This shouldn't be a problem because it's very rare to need to have `<br/>` encoded in a URL. In addition to `$br`, `$n` has a special meaning in a `newline` parameter value - `$n` results in a newline in the output. This parameter is expected to be used in combination with the `moderate`, `safe`, `entity`, or `html` type. With the other types, it causes unuseful results.

Examples:

Revision 82014-04-16 - TWikiContributor

Line: 1 to 1

META TOPICPARENT	name="TWikiVariables"

Changed:

<
<

ENCODE{string} -- encode a string to URL or HTML entities

Encode "special" characters to HTML numeric entities or to URL entities.

>
>

ENCODE{string} -- encode a string to URL entities, HTML entities, CSV format, and more

Encode "special" characters in a string to HTML numeric entities, URL entities. Also escapes special characters for CSV use and more.

Encoded characters:
- all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
- HTML special characters "<", ">", "&", single quote (') and double quote (")

Line: 18 to 18

`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode newline (`\n`) or linefeed (`\r`).	`type="url"`
`type="entity"` `extra=" $n$r"`	For `type="entity"` only, use the `extra` parameter to encode additional characters to HTML numeric entities. Formatting tokens can be used, such as `"$n"` for newline. Note that `type="entity" extra=" $n$r"` is equivalent to `type="html"`.	`type="url"` `extra=""`
`type="html"`	Encode special characters into HTML entities. In addition to `type="entity"`, it also encodes space, `\n` and `\r`. Useful to encode text properly in HTML input fields. See equivalent ENTITY.	`type="url"`

Added:

>
>

`type="csv"`	Escape single quotes and double quotes by repeating them, other characters do not change. Use this to properly escape fields in CSV reports that output comma-separated values, such as `"field 1","field 2 with ''single'' and ""double"" quotes"`.	`type="url"`
`newline="..."`	Replace a newline with the specified value before encoding. Please note that `newline="<br/>"` does not bring `<br/>` to the output because `<` and `>` are encoded (except with the `quotes` and `csv` types). To have `<br/>` in the output, you need to specify `newline="$br"`. However, `newline="$br"` does not work in combination with `type="url"` (the defautl type). This shouldn't be a problem because it's very rare to need to have `<br/>` encoded in a URL. In addition to `$br`, `$n` has a special meaning in a `newline` parameter value - `$n` results in a newline in the output. This parameter is expected to be used in combination with the `moderate`, `safe`, `entity`, or `html` type. With the other types, it causes unuseful results.

Examples:
- %ENCODE{"spaced name"}% expands to spaced%20name
- %ENCODE{"spaced name" type="entity" extra=" "}% expands to spaced name

Revision 72012-11-12 - TWikiContributor

Line: 1 to 1

META TOPICPARENT	name="TWikiVariables"

Changed:

<
<

ENCODE{"string"} -- encodes a string to HTML entities

Encode "special" characters to HTML numeric entities. Encoded characters are:

>
>

ENCODE{string} -- encode a string to URL or HTML entities

Encode "special" characters to HTML numeric entities or to URL entities.
Encoded characters:

- all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
- HTML special characters "<", ">", "&", single quote (') and double quote (")
- TWiki special characters "%", "[", "]", "@", "_", "*", "=" and "|"

Line: 15 to 16

`type="moderate"`	Encode special characters into HTML entities for moderate cross-site scripting protection: `"<"`, `">"`, single quote (`'`) and double quote (`"`) are encoded. Useful to allow TWiki variables in comment boxes.	`type="url"`
`type="safe"`	Encode special characters into HTML entities for cross-site scripting protection: `"<"`, `">"`, `"%"`, single quote (`'`) and double quote (`"`) are encoded.	`type="url"`
`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode newline (`\n`) or linefeed (`\r`).	`type="url"`

Changed:

<
<

type="html" Encode special characters into HTML entities. In addition to type="entity", it also encodes space, \n and \r. Useful to encode text properly in HTML input fields. type="url"

Example: %ENCODE{"spaced name"}% expands to spaced%20name
Notes:
- Values of HTML input fields should encoded as "html".
  Example: <input type="text" name="address" value="%ENCODE{ "any text" type="html" }%" />

>
>

`type="entity"` `extra=" $n$r"`	For `type="entity"` only, use the `extra` parameter to encode additional characters to HTML numeric entities. Formatting tokens can be used, such as `"$n"` for newline. Note that `type="entity" extra=" $n$r"` is equivalent to `type="html"`.	`type="url"` `extra=""`
`type="html"`	Encode special characters into HTML entities. In addition to `type="entity"`, it also encodes space, `\n` and `\r`. Useful to encode text properly in HTML input fields. See equivalent ENTITY.	`type="url"`

Examples:
- %ENCODE{"spaced name"}% expands to spaced%20name
- %ENCODE{"spaced name" type="entity" extra=" "}% expands to spaced name
Notes:
- Values of HTML input fields should be encoded as "html". A shorter %ENTITY{any text}% can be used instead of the more verbose %ENCODE{ "any text" type="html" }%.
  Example: <input type="text" name="address" value="%ENTITY{any text}%" />

- Double quotes in strings must be escaped when passed into other TWiki variables.
  Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%

Changed:

<
<

- Use type="moderate", type="safe" or type="entity" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.

Related: FORMFIELD, QUERYPARAMS, URLPARAM

>
>

- Use type="moderate", type="safe", type="entity" or type="html" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="html" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.
Category: ApplicationsAndComponentsVariables, DevelopmentVariables, ExportAndPublishingVariables
Related: ENTITY, FORMFIELD, QUERYPARAMS, URLPARAM

Revision 62011-06-14 - TWikiContributor

Line: 1 to 1

META TOPICPARENT	name="TWikiVariables"

ENCODE{"string"} -- encodes a string to HTML entities

Line: 14 to 14

`type="quotes"`	Escape double quotes with backslashes (`\"`), does not change other characters. This type does not protect against cross-site scripting.	`type="url"`
`type="moderate"`	Encode special characters into HTML entities for moderate cross-site scripting protection: `"<"`, `">"`, single quote (`'`) and double quote (`"`) are encoded. Useful to allow TWiki variables in comment boxes.	`type="url"`
`type="safe"`	Encode special characters into HTML entities for cross-site scripting protection: `"<"`, `">"`, `"%"`, single quote (`'`) and double quote (`"`) are encoded.	`type="url"`

Changed:

<
<

`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode newline (`\n`) or linefeed (`\r`). Useful to encode text properly in HTML input fields.	`type="url"`
`type="html"`	As `type="entity"` except it also encodes `\n` and `\r`	`type="url"`

>
>

`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode newline (`\n`) or linefeed (`\r`).	`type="url"`
`type="html"`	Encode special characters into HTML entities. In addition to `type="entity"`, it also encodes space, `\n` and `\r`. Useful to encode text properly in HTML input fields.	`type="url"`

Example: %ENCODE{"spaced name"}% expands to spaced%20name
Notes:

Changed:

<
<

- Values of HTML input fields must be entity encoded.
  Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />

>
>

- Values of HTML input fields should encoded as "html".
  Example: <input type="text" name="address" value="%ENCODE{ "any text" type="html" }%" />

- Double quotes in strings must be escaped when passed into other TWiki variables.
  Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
- Use type="moderate", type="safe" or type="entity" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.

Changed:

<
<

Related: URLPARAM

>
>

Related: FORMFIELD, QUERYPARAMS, URLPARAM

Revision 52010-03-07 - TWikiContributor

Line: 1 to 1

META TOPICPARENT	name="TWikiVariables"

ENCODE{"string"} -- encodes a string to HTML entities

Line: 10 to 10

Supported parameters:

Parameter: Description: Default:

"string" String to encode required (can be empty)

Deleted:

<
<

`type="safe"`	Encode special characters into HTML entities to avoid XSS exploits: `"<"`, `">"`, `"%"`, single quote (`'`) and double quote (`"`)	`type="url"`
`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode `\n` or `\r`.	`type="url"`
`type="html"`	As `type="entity"` except it also encodes `\n` and `\r`	`type="url"`
`type="quotes"`	Escape double quotes with backslashes (`\"`), does not change other characters	`type="url"`

type="url" Encode special characters for URL parameter use, like a double quote into %22 (this is the default)

Added:

>
>

`type="quotes"`	Escape double quotes with backslashes (`\"`), does not change other characters. This type does not protect against cross-site scripting.	`type="url"`
`type="moderate"`	Encode special characters into HTML entities for moderate cross-site scripting protection: `"<"`, `">"`, single quote (`'`) and double quote (`"`) are encoded. Useful to allow TWiki variables in comment boxes.	`type="url"`
`type="safe"`	Encode special characters into HTML entities for cross-site scripting protection: `"<"`, `">"`, `"%"`, single quote (`'`) and double quote (`"`) are encoded.	`type="url"`
`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode newline (`\n`) or linefeed (`\r`). Useful to encode text properly in HTML input fields.	`type="url"`
`type="html"`	As `type="entity"` except it also encodes `\n` and `\r`	`type="url"`

Example: %ENCODE{"spaced name"}% expands to spaced%20name
Notes:
- Values of HTML input fields must be entity encoded.
  Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
- Double quotes in strings must be escaped when passed into other TWiki variables.
  Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%

Changed:

<
<

- Use type="entity" or type="safe" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is more aggressive, but some TWiki applications might not work. type="safe" provides a safe middle ground.

>
>

- Use type="moderate", type="safe" or type="entity" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.

Related: URLPARAM

Revision 42009-02-23 - TWikiContributor

Line: 1 to 1

META TOPICPARENT	name="TWikiVariables"

ENCODE{"string"} -- encodes a string to HTML entities

Line: 10 to 10

Supported parameters:

Parameter: Description: Default:

"string" String to encode required (can be empty)

Added:

>
>

type="safe" Encode special characters into HTML entities to avoid XSS exploits: "<", ">", "%", single quote (') and double quote (") type="url"

`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode `\n` or `\r`.	`type="url"`
`type="html"`	As `type="entity"` except it also encodes `\n` and `\r`	`type="url"`
`type="quotes"`	Escape double quotes with backslashes (`\"`), does not change other characters	`type="url"`
`type="url"`	Encode special characters for URL parameter use, like a double quote into `%22`	(this is the default)

Example: %ENCODE{"spaced name"}% expands to spaced%20name

Changed:

<
<

Note: Values of HTML input fields must be entity encoded.
Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
Note: Double quotes in strings must be escaped when passed into other TWiki variables.
Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%

>
>

Notes:
- Values of HTML input fields must be entity encoded.
  Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
- Double quotes in strings must be escaped when passed into other TWiki variables.
  Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
- Use type="entity" or type="safe" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is more aggressive, but some TWiki applications might not work. type="safe" provides a safe middle ground.

Related: URLPARAM

Deleted:

<
<

Revision 32007-01-04 - TWikiContributor

Line: 1 to 1

META TOPICPARENT	name="TWikiVariables"

Deleted:

<
<

ENCODE{"string"} -- encodes a string to HTML entities

Encode "special" characters to HTML numeric entities. Encoded characters are:
- all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")

Line: 13 to 12

`"string"`	String to encode	required (can be empty)
`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode `\n` or `\r`.	`type="url"`
`type="html"`	As `type="entity"` except it also encodes `\n` and `\r`	`type="url"`

Changed:

<
<

type="quote" Escape double quotes with backslashes (\"), does not change other characters type="url"

>
>

type="quotes" Escape double quotes with backslashes (\"), does not change other characters type="url"

type="url" Encode special characters for URL parameter use, like a double quote into %22 (this is the default)

Example: %ENCODE{"spaced name"}% expands to spaced%20name
Note: Values of HTML input fields must be entity encoded.
Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
Note: Double quotes in strings must be escaped when passed into other TWiki variables.
Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%

Changed:

<
<

Related: URLPARAM

>
>

Related: URLPARAM

Revision 22007-01-04 - TWikiContributor

Line: 1 to 1

META TOPICPARENT	name="TWikiVariables"

Line: 11 to 11

Supported parameters:

Parameter: Description: Default:

"string" String to encode required (can be empty)

Changed:

<
<

type="entity" Encode special characters into HTML entities, like a double quote into " URL encoding

>
>

`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode `\n` or `\r`.	`type="url"`
`type="html"`	As `type="entity"` except it also encodes `\n` and `\r`	`type="url"`
`type="quote"`	Escape double quotes with backslashes (`\"`), does not change other characters	`type="url"`

type="url" Encode special characters for URL parameter use, like a double quote into %22 (this is the default)

Example: %ENCODE{"spaced name"}% expands to spaced%20name

Changed:

<
<

Note: Values of HTML input fields must be entity encoded, for example:
<input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />

>
>

Note: Values of HTML input fields must be entity encoded.
Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
Note: Double quotes in strings must be escaped when passed into other TWiki variables.
Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%

Related: URLPARAM

Revision 12005-03-27 - TWikiContributor

Line: 1 to 1

Added:

>
>

META TOPICPARENT	name="TWikiVariables"

ENCODE{"string"} -- encodes a string to HTML entities

Encode "special" characters to HTML numeric entities. Encoded characters are:
- all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
- HTML special characters "<", ">", "&", single quote (') and double quote (")
- TWiki special characters "%", "[", "]", "@", "_", "*", "=" and "|"
Syntax: %ENCODE{"string"}%

Supported parameters:

Parameter:	Description:	Default:
`"string"`	String to encode	required (can be empty)
`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`	URL encoding
`type="url"`	Encode special characters for URL parameter use, like a double quote into `%22`	(this is the default)

Example: %ENCODE{"spaced name"}% expands to spaced%20name
Note: Values of HTML input fields must be entity encoded, for example:
<input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
Related: URLPARAM

View topic | History: r10 < r9 < r8 < r7 | More topic actions...

Copyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
Note: Please contribute updates to this topic on TWiki.org at TWiki:TWiki.VarENCODE.