ENCODE{"string"} -- encodes a string to HTML entities
- Encode "special" characters to HTML numeric entities. Encoded characters are:
- all non-printable ASCII characters below space, except newline (
"\n") and linefeed ("\r") - HTML special characters
"<",">","&", single quote (') and double quote (") - TWiki special characters
"%","[","]","@","_","*","="and"|"
- all non-printable ASCII characters below space, except newline (
- Syntax:
%ENCODE{"string"}% - Supported parameters:
Parameter: Description: 
Default: type="html"As type="entity"except it also encodes\nand\rtype="url"type="url"Encode special characters for URL parameter use, like a double quote into %22(this is the default) type="safe"Encode special characters into HTML entities to avoid XSS exploits: "<",">","%", single quote (') and double quote (")type="url"type="entity"Encode special characters into HTML entities, like a double quote into ". Does not encode\nor\r.type="url"type="quotes"Escape double quotes with backslashes ( \"), does not change other characterstype="url""string"String to encode required (can be empty) - Example:
%ENCODE{"spaced name"}%expands tospaced%20name -
Notes: - Values of HTML input fields must be entity encoded.
Example:<input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" /> - Double quotes in strings must be escaped when passed into other TWiki variables.
Example:%SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }% - Use
type="entity"ortype="safe"to protect user input from URL parameters and external sources against cross-site scripting (XSS).type="entity"is more aggressive, but some TWiki applications might not work.type="safe"provides a safe middle ground.
- Values of HTML input fields must be entity encoded.
- Related: URLPARAM
Users
Groups
Search
Changes
Notifications
Statistics
Preferences |
|
