4

Which one's correct?

<img src="#encodeForHTMLAttribute(FORM.path)#">

or

<img src="#encodeForURL(FORM.path)#">

or 

<img src="#encodeForHTMLAttribute(encodeForURL(FORM.path))#">

?

Henry
  • 32,689
  • 19
  • 120
  • 221

3 Answers3

7

Use the method(s) which match the context of where you are inserting the text that needs encoding.


encodeForUrl is for placing dynamic text into a URL - so it will replace / with %2F (and so on), and if you apply it to an entire URL, you will have an encoded URL (which is therefore broken for use in a src attribute).

If you are allowing users to supply a partial URL, you would need to split on / (and any other relevant delimiters), apply encodeForUrl on each part, then join back together again.

Note: encodeForUrl appears to pass its string straight to Java, which means backslashes are treated as escape characters - \b\n encodes to %08%0A instead of %5Cb%5Cn - this behaviour is not part of standard URL encoding (nor CF strings in general). To avoid this use the function UrlEncodedFormat instead.

encodeForHTMLAttribute is for placing dynamic text into a HTML attribute - it's purpose is to ensure the contents are treated as text (not parsed as HTML) - it doesn't know/care whether its contents is a URL or something else.


In summary, you probably want encodeForHtmlAttribute( UrlEncodedFormat( Form.Path ) ) for this situation.

Peter Boughton
  • 110,170
  • 32
  • 120
  • 176
  • 2
    Correct. This normally means you url encode any parameters taken from the current url, and then html attribute encode the whole url. – Erlend Oct 17 '12 at 04:50
  • Thanks peter for the valuable information. I would like to know inroder to use the encodeForUrl method in the JavaScript which package has to be imported? – Sarath Upadrista Dec 26 '14 at 12:02
1

In your example the answer is to use both.

However, depending on the content of FORM.path you may break things.

The function encodeForURL should be called encodeUriComponent (as is done in Javascript) because it is intended to be used on uri components, not on the entire url string. A uri component, such as name value pairs, need to be encoded separately otherwise the seperator ("=" for name value pairs) will be encoded as well.

The following will result in a 404, even if you have an index.cfm file. Note that the path separator "/", query string separator "?" and name/value separator "=" are all encoded, making the entire string a single unit.

<a href="#encodeForURL("/index.cfm?x=y")#">here</a>

What should be done instead is:

<cfset pathURIEncoded = "/index.cfm?#encodeForURL("x")#=#encodeForURL("y")#">
<a href="#encodeForHTMLAttribute(Variables.pathURIEncoded)#">here</a>

Replacing x and y with variables and not static strings, of course.

nosilleg
  • 2,143
  • 1
  • 22
  • 36
  • encodeForUrl is not just for query strings (or name/value pairs) - it can be used anywhere in a url, so long as it's remembered that its purpose is to produce encoded text (and thus it deliberately changes delimiters). A simple example of non-qs use would be a directory based on a user name. – Peter Boughton Oct 16 '12 at 22:20
  • @PeterBoughton I have adjusted the text to not imply that uri components are limited to name value pairs. – nosilleg Oct 16 '12 at 23:28
0

For this example, I would use the encodeForHTMLAttribute method as it is a static path. The only exception would be if the value of the src attribute itself was generated from a publicly-accessible scope (sent via the URL, FORM etc) and contains dynamic data. If this was the case, I would use the encodeForURL() method.

Matt Gifford
  • 1,268
  • 9
  • 13
  • let's say it's dynamic data. Why would you suggest to use `encodeForURL()` instead of `encodeForHTMLAttribute()`? Seems like you're implying that `encodeForURL()` is stronger? – Henry Oct 16 '12 at 21:45