Difference: VarENCODE (8 vs. 9)

ENCODE{string} -- encode a string to URL entities, HTML entities, CSV format, and more

• Encode "special" characters in a string to HTML numeric entities, URL entities. Also escapes special characters for CSV use and more.
• Encoded characters:
  • all non-printable ASCII characters below space, except newline ("\n") and linefeed ("\r")
  • HTML special characters "<", ">", "&", single quote (') and double quote (")
  • TWiki special characters "%", "[", "]", "@", "_", "*", "=" and "|"
• Syntax: %ENCODE{"string"}%
• Supported parameters:

  Parameter:	Description:	Default:
  "string"	String to encode	required (can be empty)
  type="url"	Encode special characters for URL parameter use, like a double quote into %22	(this is the default)
  type="quotes"	Escape double quotes with backslashes (\"), does not change other characters. This type does not protect against cross-site scripting.	type="url"
  type="moderate"	Encode special characters into HTML entities for moderate cross-site scripting protection: "<", ">", single quote (') and double quote (") are encoded. Useful to allow TWiki variables in comment boxes.	type="url"
  type="safe"	Encode special characters into HTML entities for cross-site scripting protection: "<", ">", "%", single quote (') and double quote (") are encoded.	type="url"
  type="entity"	Encode special characters into HTML entities, like a double quote into &#034;. Does not encode newline (\n) or linefeed (\r).	type="url"
  type="entity" extra=" $n$r"	For type="entity" only, use the extra parameter to encode additional characters to HTML numeric entities. Formatting tokens can be used, such as "$n" for newline. Note that type="entity" extra=" $n$r" is equivalent to type="html".	type="url" extra=""
  type="html"	Encode special characters into HTML entities. In addition to type="entity", it also encodes space, \n and \r. Useful to encode text properly in HTML input fields. See equivalent ENTITY.	type="url"

type="csv"	Escape single quotes and double quotes by repeating them, other characters do not change. Use this to properly escape fields in CSV reports that output comma-separated values, such as "field 1","field 2 with ''single'' and ""double"" quotes".	type="url"
newline="..."	Replace a newline with the specified value before encoding. Please note that newline="<br/>" does not bring <br/> to the output because < and > are encoded (except with the quotes and csv types). To have <br/> in the output, you need to specify newline="$br". However, newline="$br" does not work in combination with type="url" (the defautl type). This shouldn't be a problem because it's very rare to need to have <br/> encoded in a URL. In addition to $br, $n has a special meaning in a newline parameter value - $n results in a newline in the output. This parameter is expected to be used in combination with the moderate, safe, entity, or html type. With the other types, it causes unuseful results.

• Examples:
  • %ENCODE{"spaced name"}% expands to spaced%20name
  • %ENCODE{"spaced name" type="entity" extra=" "}% expands to spaced name
• Notes:
  • Values of HTML input fields should be encoded as "html". A shorter %ENTITY{any text}% can be used instead of the more verbose %ENCODE{ "any text" type="html" }%.
    Example: <input type="text" name="address" value="%ENTITY{any text}%" />
  • Double quotes in strings must be escaped when passed into other TWiki variables.
    Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
  • Use type="moderate", type="safe", type="entity" or type="html" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="html" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.
• Category: ApplicationsAndComponentsVariables, DevelopmentVariables, ExportAndPublishingVariables
• Related: ENTITY, FORMFIELD, QUERYPARAMS, URLPARAM