Encode special characters into HTML entities to avoid XSS exploits: "<", ">", "%", single quote (') and double quote (")
type="url"
type="entity"
Encode special characters into HTML entities, like a double quote into ". Does not encode \n or \r.
type="url"
type="html"
As type="entity" except it also encodes \n and \r
type="url"
type="quotes"
Escape double quotes with backslashes (\"), does not change other characters
type="url"
type="url"
Encode special characters for URL parameter use, like a double quote into %22
(this is the default)
Added:
> >
type="quotes"
Escape double quotes with backslashes (\"), does not change other characters. This type does not protect against cross-site scripting.
type="url"
type="moderate"
Encode special characters into HTML entities for moderate cross-site scripting protection: "<", ">", single quote (') and double quote (") are encoded. Useful to allow TWiki variables in comment boxes.
type="url"
type="safe"
Encode special characters into HTML entities for cross-site scripting protection: "<", ">", "%", single quote (') and double quote (") are encoded.
type="url"
type="entity"
Encode special characters into HTML entities, like a double quote into ". Does not encode newline (\n) or linefeed (\r). Useful to encode text properly in HTML input fields.
type="url"
type="html"
As type="entity" except it also encodes \n and \r
type="url"
Example: %ENCODE{"spaced name"}% expands to spaced%20name
Notes:
Values of HTML input fields must be entity encoded. Example: <input type="text" name="address" value="%ENCODE{ "any text" type="entity" }%" />
Double quotes in strings must be escaped when passed into other TWiki variables. Example: %SEARCH{ "%ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%
Changed:
< <
Use type="entity" or type="safe" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is more aggressive, but some TWiki applications might not work. type="safe" provides a safe middle ground.
> >
Use type="moderate", type="safe" or type="entity" to protect user input from URL parameters and external sources against cross-site scripting (XSS). type="entity" is the safest mode, but some TWiki applications might not work. type="safe" provides a safe middle ground, type="moderate" provides only moderate cross-site scripting protection.