|
ENCODE{string} -- encode a string to URL entities, HTML entities, CSV format, and more
- Encode "special" characters in a string to HTML numeric entities, URL entities. Also escapes special characters for CSV use and more.
- Encoded characters:
- all non-printable ASCII characters below space, except newline (
"\n" ) and linefeed ("\r" )
- HTML special characters
"<" , ">" , "&" , single quote (' ) and double quote (" )
- TWiki special characters
"%" , "[" , "]" , "@" , "_" , "*" , "=" and "|"
- Syntax:
%ENCODE{"string"}%
- Supported parameters:
Parameter: | Description: | Default: | "string" | String to encode | required (can be empty) | type="url" | Encode special characters for URL parameter use, like a double quote into %22 | (this is the default) | type="quotes" | Escape double quotes with backslashes (\" ), does not change other characters. This type does not protect against cross-site scripting. | type="url" | type="moderate" | Encode special characters into HTML entities for moderate cross-site scripting protection: "<" , ">" , single quote (' ) and double quote (" ) are encoded. Useful to allow TWiki variables in comment boxes. | type="url" | type="safe" | Encode special characters into HTML entities for cross-site scripting protection: "<" , ">" , "%" , single quote (' ) and double quote (" ) are encoded. | type="url" | type="entity" | Encode special characters into HTML entities, like a double quote into " . Does not encode newline (\n ) or linefeed (\r ). | type="url" | type="entity" extra=" $n$r" | For type="entity" only, use the extra parameter to encode additional characters to HTML numeric entities. Formatting tokens can be used, such as "$n" for newline. Note that type="entity" extra=" $n$r" is equivalent to type="html" . | type="url" extra="" | type="html" | Encode special characters into HTML entities. In addition to type="entity" , it also encodes space, \n and \r . Useful to encode text properly in HTML input fields. See equivalent ENTITY. | type="url" | type="json" | Escape double quotes and backslashes with backslashes (\" and \\ , respectively), escape non-printable characters with hex code \u0000 ... \u001F , does not change other characters. Use this to properly escape text for a JSON string. Example result: This is a string with \"quoted\" and \\backslashed\\ text . | type="url" | type="csv" | Escape single quotes and double quotes by repeating them, other characters do not change. Use this to properly escape fields in CSV reports that output comma-separated values, such as "field 1","field 2 with ''single'' and ""double"" quotes" . | type="url" | type="search" | Special encoding used for SEARCH: Substitute % characters into non-printable characters, so that TWikiVariables are no longer expanded. Also escapes quotes. Used to feed a search string from a URLPARAM into SEARCH without expanding any variables, such as when searching for %BR% . | type="url" | newline="..." | Replace a newline with the specified value before encoding. Please note that newline="<br/>" does not bring <br/> to the output because < and > are encoded (except with the quotes and csv types). To have <br/> in the output, you need to specify newline="$br" . However, newline="$br" does not work in combination with type="url" (the defautl type). This shouldn't be a problem because it's very rare to need to have <br/> encoded in a URL. In addition to $br , $n has a special meaning in a newline parameter value - $n results in a newline in the output. This parameter is expected to be used in combination with the moderate , safe , entity , or html type. With the other types, it causes unuseful results. | |
- Examples:
-
%ENCODE{"spaced name"}% expands to spaced%20name
-
%ENCODE{"spaced name" type="entity" extra=" "}% expands to spaced name
- Notes:
- Values of HTML input fields should be encoded as
"html" . A shorter %ENTITY{any text}% can be used instead of the more verbose %ENCODE{ "any text" type="html" }% . Example: <input type="text" name="address" value="%ENTITY{any text}%" />
- Double quotes in strings must be escaped when passed into other TWiki variables.
Example: %SET{ "lunch" value="%ENCODE{ "string with "quotes"" type="quotes" }%" remember="1" }%
- Use
type="moderate" , type="safe" , type="entity" or type="html" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="html" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.
- Category: ApplicationsAndComponentsVariables, DevelopmentVariables, ExportAndPublishingVariables
- Related: ENTITY, FORMFIELD, QUERYPARAMS, URLPARAM
|