portal entry

select a category, or use search below
(searches all categories and all time range)

EncodeForHTML vs. HTMLEditFormat

| View in Portal
August 04, 2019 10:40:46 PM GMT
<p>Is EncodeForHTML as it is more secure than HTMLEditFormat?</p>
<p>The post <a rel="nofollow" href="https://coldfusion.adobe.com/2019/08/encodeforhtml-vs-htmleditformat/">EncodeForHTML vs. HTMLEditFormat</a> appeared first on <a rel="nofollow" href="https://coldfusion.adobe.com">ColdFusion</a>.</p>
Labels: ColdFusion, Language Enhancement, Question, language enhancement, question, security


Yes, there is indeed far more benefit to that than the very old htmleditformat (which only encoded a few characters). And more than just using encodeforhtml, consider also the related functions also added with it in CF10 (encodeforurl, encodeforjavascript, etc.), and/or their member function equivalents added in CF2016. These all perform encoding based on the OWASP ESAPI project. As you posted <a href="https://coldfusion.adobe.com/2019/08/input-validation-avoid-xss/">another question at the same time</a>, and I had already answered that in more detail, with links to references, I would point you (and readers of this) to that for more on the encodefor features and their benefits.
Comment by Charlie Arehart
2228 | August 06, 2019 03:50:08 PM GMT
I found, somehow, the EncodeForHTML ruined emoji in the text (turned them into "? in diamond") while the old depreciated HTMLEditFormat didn't. Is there a way we can use the newer, better EncodeForHTML while keeping emoji
Comment by Billy Fan
3521 | November 14, 2019 07:12:53 PM GMT
All these functions simply control what HTML is generated. Look at the page you are seeing the problem on, and do a "view source". Report what you are seeing. Maybe someone can then recommend a better solution--or help understand why you are hitting the problem, in which case you may want to open a bug report at tracker.adobe.com instead.
Comment by Charlie Arehart
3518 | November 14, 2019 08:37:24 PM GMT
That would be a good one for StackOverflow
Comment by James Mohler
3535 | November 15, 2019 01:04:48 AM GMT