1 <a name="VarENCODE"></a>
3 ### <a name="ENCODE{"string"} -- encodes a st"></a> ENCODE\{"string"\} -- encodes a string to HTML entities
5 - Encode "special" characters to HTML numeric entities. Encoded characters are:
6 - all non-printable ASCII characters below space, except newline (`"\n"`) and linefeed (`"\r"`)
7 - HTML special characters `"<"`, `">"`, `"&"`, single quote (`'`) and double quote (`"`)
8 - TWiki special characters `"%"`, `"["`, `"]"`, `"@"`, `"_"`, `"*"`, `"="` and `"|"`
9 - Syntax: `%ENCODE{"string"}%`
10 - Supported parameters: <table border="1" cellpadding="0" cellspacing="0">
12 <th bgcolor="#99CCCC"><strong> Parameter: </strong></th>
13 <th bgcolor="#99CCCC"><strong> Description: </strong></th>
14 <th bgcolor="#99CCCC"><strong> Default: </strong></th>
17 <td><code>"string"</code></td>
18 <td> String to encode </td>
19 <td> required (can be empty) </td>
22 <td><code>type="safe"</code></td>
23 <td> Encode special characters into HTML entities to avoid XSS exploits: <code>"<"</code>, <code>">"</code>, <code>"%"</code>, single quote (<code>'</code>) and double quote (<code>"</code>) </td>
24 <td><code>type="url"</code></td>
27 <td><code>type="entity"</code></td>
28 <td> Encode special characters into HTML entities, like a double quote into <code>&#034;</code>. Does <strong>not</strong> encode <code>\n</code> or <code>\r</code>. </td>
29 <td><code>type="url"</code></td>
32 <td><code>type="html"</code></td>
33 <td> As <code>type="entity"</code> except it also encodes <code>\n</code> and <code>\r</code></td>
34 <td><code>type="url"</code></td>
37 <td><code>type="quotes"</code></td>
38 <td> Escape double quotes with backslashes (<code>\"</code>), does not change other characters </td>
39 <td><code>type="url"</code></td>
42 <td><code>type="url"</code></td>
43 <td> Encode special characters for URL parameter use, like a double quote into <code>%22</code></td>
44 <td> (this is the default) </td>
47 - Example: `%ENCODE{"spaced name"}%` expands to `spaced%20name`
49 - Values of HTML input fields must be entity encoded.%BR% Example: `<input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />`
50 - Double quotes in strings must be escaped when passed into other TWiki variables.%BR% Example: `%SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%`
51 - Use `type="entity"` or `type="safe"` to protect user input from URL parameters and external sources against cross-site scripting (XSS). `type="entity"` is more aggressive, but some TWiki applications might not work. `type="safe"` provides a safe middle ground.
53 - Related: [[URLPARAM|Main/VarURLPARAM]]