TWiki · TWiki · VarENCODE

Encode "special" characters to HTML numeric entities or to URL entities.
Encoded characters:
- all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
- HTML special characters "<", ">", "&", single quote (') and double quote (")
- TWiki special characters "%", "[", "]", "@", "_", "*", "=" and "|"
Syntax: %ENCODE{"string"}%
Supported parameters:

Parameter:	Description:	Default:
`"string"`	String to encode	required (can be empty)
`type="url"`	Encode special characters for URL parameter use, like a double quote into `%22`	(this is the default)
`type="quotes"`	Escape double quotes with backslashes (`\"`), does not change other characters. This type does not protect against cross-site scripting.	`type="url"`
`type="moderate"`	Encode special characters into HTML entities for moderate cross-site scripting protection: `"<"`, `">"`, single quote (`'`) and double quote (`"`) are encoded. Useful to allow TWiki variables in comment boxes.	`type="url"`
`type="safe"`	Encode special characters into HTML entities for cross-site scripting protection: `"<"`, `">"`, `"%"`, single quote (`'`) and double quote (`"`) are encoded.	`type="url"`
`type="entity"`	Encode special characters into HTML entities, like a double quote into `"`. Does not encode newline (`\n`) or linefeed (`\r`).	`type="url"`
`type="entity"` `extra=" $n$r"`	For `type="entity"` only, use the `extra` parameter to encode additional characters to HTML numeric entities. Formatting tokens can be used, such as `"$n"` for newline. Note that `type="entity" extra=" $n$r"` is equivalent to `type="html"`.	`type="url"` `extra=""`
`type="html"`	Encode special characters into HTML entities. In addition to `type="entity"`, it also encodes space, `\n` and `\r`. Useful to encode text properly in HTML input fields. See equivalent ENTITY.	`type="url"`

Examples:
- %ENCODE{"spaced name"}% expands to spaced%20name
- %ENCODE{"spaced name" type="entity" extra=" "}% expands to spaced name
Notes:
- Values of HTML input fields should be encoded as "html". A shorter %ENTITY{any text}% can be used instead of the more verbose %ENCODE{ "any text" type="html" }%.
  Example: <input type="text" name="address" value="%ENTITY{any text}%" />
- Double quotes in strings must be escaped when passed into other TWiki variables.
  Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
- Use type="moderate", type="safe", type="entity" or type="html" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="html" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.
Category: ApplicationsAndComponentsVariables, DevelopmentVariables, ExportAndPublishingVariables
Related: ENTITY, FORMFIELD, QUERYPARAMS, URLPARAM