Description
Encodes an input string for a safe HTML output to prevent Cross Site Scripting (XSS) attacks. Prior to ColdFusion 10, the HTMLEditFormat function encoded user inputs to avoid unwanted HTML rendering. But HTMLEditFormat had its limitations when encoding <, >, and &. EncodeForHTML mitigates these risks.
Returns
Encoded string
Category
Display and formatting functions
Syntax
encodeForHTML(string [,canonicalize])
See also
Canonicalize, EncodeForHTMLAttribute, EncodeForJavaScript, EncodeForCSS, EncodeForURL
History
ColdFusion (2018 release): Introduced named parameters.
ColdFusion 10: Added this function.
Parameters
Parameter |
Description |
---|---|
string |
Required. The string to encode. |
canonicalize |
Optional. If set to true, canonicalization happens before encoding. If set to false, the given input string will just be encoded. The default value for canonicalize is false. When this parameter is not specified, canonicalization will not happen. By default, when canonicalization is performed, both mixed and multiple encodings will be allowed. To use any other combinations you should canonicalize using canonicalize method and then perform encoding. |
Example with HTMLEditFormat
<cfscript> s1="<script>"; s2="&<>'/" & '"'; WriteOutput(EncodeForHTMLAttribute(s1) & "<br/>"); WriteOutput(EncodeForHTMLAttribute(s2)); </cfscript>
Output
<script> | &<>'/" & '"
Example using EncodeForHTML
<cfscript> s1="<script>"; s2="&<>'/" & '"'; WriteOutput(EncodeForHTML(s1) & " | "); WriteOutput(EncodeForHTML(s2)); </cfscript>
Output
<script> | &<>'/"