%META:TOPICINFO{author="TWikiContributor" date="1531610582" format="1.1" version="10"}% %META:TOPICPARENT{name="TWikiVariables"}% #VarENCODE ---+++ ENCODE{string} -- encode a string to URL entities, HTML entities, CSV format, and more * Encode "special" characters in a string to HTML numeric entities, URL entities. Also escapes special characters for CSV use and more. * Encoded characters: * all non-printable ASCII characters below space, except newline (="\n"=) and linefeed (="\r"=) * HTML special characters ="<"=, =">"=, ="&"=, single quote (='=) and double quote (="=) * TWiki special characters ="%"=, ="["=, ="]"=, ="@"=, ="_"=, ="*"=, ="="= and ="|"= * Syntax: =%ENCODE{"string"}%= * Supported parameters: | *Parameter:* | *Description:* | *Default:* | | ="string"= | String to encode | required (can be empty) | | =type="url"= | Encode special characters for URL parameter use, like a double quote into =%22= | (this is the default) | | =type="quotes"= | Escape double quotes with backslashes (=\"=), does not change other characters. This type does not protect against cross-site scripting. | =type="url"= | | =type="moderate"= | Encode special characters into HTML entities for moderate cross-site scripting protection: ="<"=, =">"=, single quote (='=) and double quote (="=) are encoded. Useful to allow TWiki variables in comment boxes. | =type="url"= | | =type="safe"= | Encode special characters into HTML entities for cross-site scripting protection: ="<"=, =">"=, ="%"=, single quote (='=) and double quote (="=) are encoded. | =type="url"= | | =type="entity"= | Encode special characters into HTML entities, like a double quote into =&#034;=. Does *not* encode newline (=\n=) or linefeed (=\r=). | =type="url"= | | =type="entity"= %BR% =extra=" $n$r"= | For =type="entity"= only, use the =extra= parameter to encode additional characters to HTML numeric entities. [[FormatTokens][Formatting tokens]] can be used, such as ="$n"= for newline. Note that =type="entity" extra=" $n$r"= is equivalent to =type="html"=. | =type="url"= %BR% =extra=""= | | =type="html"= | Encode special characters into HTML entities. In addition to =type="entity"=, it also encodes space, =\n= and =\r=. Useful to encode text properly in HTML input fields. See equivalent [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENTITY][ENTITY]]. | =type="url"= | | =type="json"= | Escape double quotes and backslashes with backslashes (=\"= and =\\=, respectively), escape non-printable characters with hex code =\u0000= ... =\u001F=, does not change other characters. Use this to properly escape text for a [[Wikipedia:JSON][JSON]] string. Example result: =This is a string with \"quoted\" and \\backslashed\\ text=. | =type="url"= | | =type="csv"= | Escape single quotes and double quotes by repeating them, other characters do not change. Use this to properly escape fields in [[Wikipedia:Comma-separated_values][CSV]] reports that output comma-separated values, such as ="field 1","field 2 with ''single'' and ""double"" quotes"=. | =type="url"= | | =type="search"= | Special encoding used for [[%IF{"'%SEARCH%'='TWikiVariables'" then="#"}%VarSEARCH][SEARCH]]: Substitute % characters into non-printable characters, so that TWikiVariables are no longer expanded. Also escapes quotes. Used to feed a search string from a [[%IF{"'%URLPARAM%'='TWikiVariables'" then="#"}%VarURLPARAM][URLPARAM]] into SEARCH without expanding any variables, such as when searching for =%BR%=. | =type="url"= | | =newline="..."= | Replace a newline with the specified value before encoding. %BR% Please note that =newline="<br/>"= does not bring =<br/>= to the output because =<= and =>= are encoded (except with the =quotes= and =csv= types). To have =<br/>= in the output, you need to specify =newline="$br"=. However, =newline="$br"= does not work in combination with =type="url"= (the defautl type). This shouldn't be a problem because it's very rare to need to have =<br/>= encoded in a URL. %BR% In addition to =$br=, =$n= has a special meaning in a =newline= parameter value - =$n= results in a newline in the output. %BR% This parameter is expected to be used in combination with the =moderate=, =safe=, =entity=, or =html= type. With the other types, it causes unuseful results. | | * Examples: * =%ENCODE{"spaced name"}%= expands to =%ENCODE{"spaced name"}%= * =%ENCODE{"spaced name" type="entity" extra=" "}%= expands to =spaced&#32;name= * __Notes:__ * Values of HTML input fields should be encoded as ="html"=. A shorter =%ENTITY{any text}%= can be used instead of the more verbose =%ENCODE{ "any text" type="html" }%=. %BR% Example: =<input type="text" name="address" value="%ENTITY{any text}%" />= * Double quotes in strings must be escaped when passed into other TWiki variables.%BR% Example: =%SET{ "lunch" value="%ENCODE{ "string with "quotes"" type="quotes" }%" remember="1" }%= * Use =type="moderate"=, =type="safe"=, =type="entity"= or =type="html"= to protect user input from URL parameters and external sources against [[http://en.wikipedia.org/wiki/Cross-site_scripting][cross-site scripting]] (XSS). =type="html"= is the safest mode, but some TWiki applications might not work. =type="safe"= provides a safe middle ground, =type="moderate"= provides only moderate cross-site scripting protection. * Category: ApplicationsAndComponentsVariables, DevelopmentVariables, ExportAndPublishingVariables * Related: [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENTITY][ENTITY]], [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarFORMFIELD][FORMFIELD]], [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarQUERYPARAMS][QUERYPARAMS]], [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarURLPARAM][URLPARAM]]