ENTITY{string} -- encode a string to HTML entities

  • Encode "special" characters to HTML entities. Useful to encode text properly for HTML input fields.
  • Encoded characters:
    • all non-printable ASCII characters below space, including newline ("\n") and linefeed ("\r")
    • Space
    • HTML special characters "<", ">", "&", single quote (') and double quote (")
    • TWiki special characters "%", "[", "]", "@", "_", "*", "=" and "|"
  • Syntax: %ENTITY{string}%
  • Example: %ENTITY{text with "quotes" and
    newline}%
    expands to text&#32;with&#32;&#34;quotes&#34;&#32;and&#10;newline
  • Notes:
    • To protect against cross-site scripting (XSS), always entity encode text intended for HTML input fields. This is especially true if text is received dynamically via URLPARAM or the like.
      Example: <input type="text" name="address" value="%ENTITY{any text}%" />
    • %ENTITY{string}% is roughly equivalent to %ENCODE{ "string" type="html" }%, but the latter cannot handle strings that have double quotes embedded in it.
  • Category: DevelopmentVariables, FormattingAndRenderingVariables, ExportAndPublishingVariables
  • Related: ENCODE, FORMFIELD, QUERYPARAMS, URLPARAM
Topic revision: r1 - 2012-11-12 - TWikiContributor
 

Copyright © 1999-2024 by the contributing authors. All material from TWiki is the property of the contributing authors.
Questions, comments, or concerns? Contact GNHLUG.
All use of this site subject to our Legal Notice (includes Terms of Service).