ENCODE{"string"} -- encodes a string to HTML entities
- Encode "special" characters to HTML numeric entities. Encoded characters are:
- all non-printable ASCII characters below space, except newline (
"\n") and linefeed ("\r") - HTML special characters
"<",">","&", single quote (') and double quote (") - TML special characters
"%","[","]","@","_","*","="and"|"
- all non-printable ASCII characters below space, except newline (
- Syntax:
%ENCODE{"string"}% - Supported parameters:
Parameter: Description: Default: "string"String to encode required (can be empty) type="entity"
type="safe"
type="html"
type="quotes"
type="url"Control how special characters are encoded
entity: Encode special characters into HTML entities, like a double quote into". Does not encode\nor\r.
safe: Encode characters'"<>%into HTML entities.
html: Astype="entity"except it also encodes\nand\r
quotes: Escape double quotes with backslashes (\"), does not change other characters
url: Encode special characters for URL parameter use, like a double quote into%22(this is the default)type="url" - Example:
%ENCODE{"spaced name"}%expands tospaced%20name -
Values of HTML input fields must be entity encoded.
Example:<input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" /> - Double quotes in strings must be escaped when passed into other macros.
Example:%SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }% - ENCODE can be used to filter user input from URL parameters and similer to protect against cross-site scripting. The safest approach is to use
type="entity". This can however prevent an application from fully working. You can then usetype="safe"which encodes only the characters'"<>%into HTML entities (same as encode="safe"). When ENCODE is passing a string inside another macro always use double quotes ("") type="quote". For maximum security against cross-site scripting you are adviced to install the Foswiki:Extensions.SafeWikiPlugin.
- Related: URLPARAM