| |
ENTITY{string} -- encode a string to HTML entities
- Encode "special" characters to HTML entities. Useful to encode text properly for HTML input fields.
- Encoded characters:
- all non-printable ASCII characters below space, including newline (
"\n") and linefeed ("\r")
- Space
- HTML special characters
"<", ">", "&", single quote (') and double quote (")
- TWiki special characters
"%", "[", "]", "@", "_", "*", "=" and "|"
- Syntax:
%ENTITY{string}%
- Example:
%ENTITY{text with "quotes" and
newline}% expands to text with "quotes" and newline
- Notes:
- To protect against cross-site scripting
 (XSS), always entity encode text intended for HTML input fields. This is especially true if text is received dynamically via URLPARAM or the like.
Example: <input type="text" name="address" value="%ENTITY{any text}%" />
-
%ENTITY{string}% is roughly equivalent to %ENCODE{ "string" type="html" }%, but the latter cannot handle strings that have double quotes embedded in it.
- Category: DevelopmentVariables, FormattingAndRenderingVariables, ExportAndPublishingVariables
- Related: ENCODE, FORMFIELD, QUERYPARAMS, URLPARAM
|
