1

In a function I do not control, data is being returned via

return xmlFormat(rc.content)

I later want to do a 

<cfoutput>#resultsofreturn#</cfoutput>

The problem is all the HTML tags are escaped.

I have considered

<cfoutput>#DecodeForHTML(resultsofreturn)#</cfoutput>

But I am not sure these are inverses of each other

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
  • 3
    `XmlFormat()` converts using following rule: `Greater than symbol (>) > Less than symbol (<) < Single-quotation mark (') ' Double-quotation mark (") " Ampersand symbol (&) & Carriage return (but not line feed) Removed from the text. High ASCII characters in the range 159-255. Replaced by unicode escape sequence; for example, É (capital E with an Acute symbol) is replaced by É. `. Maybe you can create a custom decode function if required using the above conversion rules. – Abhishekh Gupta Apr 29 '18 at 18:48
  • @Beginner - Does it actually escape high ascii? I wasn't sure and it didn't seem to on trycf.com with 11+. – SOS Apr 30 '18 at 02:19
  • 1
    @Ageax Yes, it is. Here is the [gist.](https://trycf.com/gist/e80f6c54c5be8fb23ce4e028fb1a839d/acf2016?theme=monokai) I think you used `cfoutput` to display. – Abhishekh Gupta Apr 30 '18 at 06:37
  • @Beginner - Yep, I did (doh!) :-) Thanks. – SOS Apr 30 '18 at 12:52

2 Answers2

4

As of CF 10, you should be using the newer encodeFor functions. These functions account for high ASCII characters as well as UTF-8 characters.

Old and Busted

  • XmlFormat()
  • HTMLEditFormat()
  • JSStringFormat()

New Hotness

  • encodeForXML()
  • encodeForXMLAttribute()
  • encodeForHTML()
  • encodeForHTMLAttribute()
  • encodeForJavaScript()
  • encodeForCSS()

The output from these functions differs by context.

Then, if you're only getting escaped HTML, you can convert it back using Jsouo or the Jakarta Commons Lang library. There are some examples in a related SO answer.

Obviously, the best solution would be to update the existing function to return either version of the content. Is there a way to copy that function in order to return the unescaped content? Or can you just call it from a new function that uses the Java solution to convert the HTML?

Adrian J. Moreno
  • 14,350
  • 1
  • 37
  • 44
4

Like Adrian concluded, the best option is to implement a system to get to the pre-encoded value.

In the current state, the string your working with is encoded for an xml document. One option is to create an xml document with the text and parse the text back out of the xml document. I'm not sure how efficient this method is, but it will return the text back to it's pre-encoded value.

function xmlDecode(text){
    return xmlParse("<t>#text#</t>").t.xmlText;
}

TryCF.com example

Twillen
  • 1,458
  • 15
  • 22