Description

Encodes an input string for a safe HTML output to prevent Cross Site Scripting (XSS) attacks. Prior to ColdFusion 10, the HTMLEditFormat function encoded user inputs to avoid unwanted HTML rendering. But HTMLEditFormat had its limitations when encoding <, >, and &. EncodeForHTML mitigates these risks.

Returns

Encoded string

Category

Display and formatting functions

Syntax

 

encodeForHTML(inputString [,canonicalize])

See also

CanonicalizeEncodeForHTMLAttributeEncodeForJavaScriptEncodeForCSSEncodeForURL

History

ColdFusion 10: Added this function.

Parameters

Parameter

Description

inputString

Required. The string to encode.

canonicalize

Optional. If set to true, canonicalization happens before encoding. If set to false, the given input string will just be encoded. The default value for canonicalize is false. When this parameter is not specified, canonicalization will not happen. By default, when canonicalization is performed, both mixed and multiple encodings will be allowed. To use any other combinations you should canonicalize using canonicalize method and then perform encoding.

Example with HTMLEditFormat

<cfscript>
       s1="<script>";
       s2="&<>'/" & '"';
       WriteOutput(HTMLEditFormat(s1) & " | ");
       WriteOutput(HTMLEditFormat(s2));
</cfscript>

Output

<script> | &<>'/" & '"

Example using EncodeForHTML

<cfscript>
       s1="<script>";
       s2="&<>'/" & '"';
       WriteOutput(EncodeForHTML(s1) & " | ");
       WriteOutput(EncodeForHTML(s2));
</cfscript>

Output

&lt;script&gt;  | &amp;&lt;&gt;&#x27;&#x2f;&quot; 

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy