I have a text field which people can type anything they want in. However, when I get the value from the text field I want to return the values encoded so that quotes get a value like " instead of plain ".
I need this because the plain values are causing me problems later on in the site when using them in HTML attribute such as description meta tag.
Is there a way to get the proper HTML code for special characters from an <input type="text"/> form element?
ColdFusion actually includes the OWASP ESAPI utilities that are specifically intended for this dating back to ColdFusion 8 (if updated with the appropriate security hot fix). See this article from Pete Freitag - ColdFusion's Builtin Enterprise Security API
One of the nice side effects to installing the latest ColdFusion security hotfix is that ColdFusion 8 and ColdFusion 9 now both include the jar files for the OWASP ESAPI or Enterprise Security API.
This means that it’s now very very easy to leverage this powerful security API from within your ColdFusion code.
Here's a quick example of how you might use the ESAPI encoder to prevent cross site scripting:
<cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI")>
<cfset esapiEncoder = esapi.encoder()>
<cfoutput><p>Hello #esapiEncoder.encodeForHTML(url.name)#</p></cfoutput>The Encoder class has methods for encoding all kinds of input so they can be safely used in various contexts. Here’s a listing some handy encoders:
encodeForHTML - used for encoding a string between HTML tags.
encodeForHTMLAttribute - used for encoding a string inside of a HTML attribute.
encodeForURL - used for encoding inside of a url, eg: in a href.
encodeForJavaScript - used for an input inside a javascript variable or in a function argument.
encodeForCSS - used for encoding variable inside of CSS (eg inline style attributes).
encodeForXML - encoding variables inside XML.
encodeForXPath - encode variables in an XPath query.What else can ESAPI do?
ESAPI also provides helpers for Validation, Encryption, Logging, Randomization, and more. Checkout the docs to see what it can do.
The new security functions encodeFor* beginning with ColdFusion 10 are actually an implementation of these utilities. ColdFusion 10 Provides Powerful New Security Tools
These utilities do much more for you than htmlEditFormat() will. As noted they include specific encoding/decoding functions for the various contexts; HTML, HTML attributes, URL, JavaScript, CSS, XML and XPath. They also include validation for the same. I would encourage you to check them out. I have previously posted a question on how to implement validation using these utilities which may help you - How to implement the OWASP ESAPI validator with groups of validation attempts in ColdFusion?
Reference - OWASP Enterprise Security API
Although you didn't specify any programming language, you can use the htmlspecialchars() function in PHP for this. You would just need to use:
echo htmlspecialchars($_POST['inputname']);
See this page for more info.
this removes only the few important charecters and you dont have to add a big library to achieve this
var HTML_ENTITIES = {
'&': '&',
'>': '>',
'<': '<',
'"': '"',
"'": '''
};
// HTML escaping
htmlEscape = function(text) {
return text && text.replace(/[&"'><]/g, function(character) {
return HTML_ENTITIES[character];
});
};
Hope this helps
