portal entry

select a category, or use search below
(searches all categories and all time range)

EncodeForHTML vs. HTMLEditFormat

| View in Portal
August 04, 2019 10:40:46 PM GMT
1 Comment
<p>Is EncodeForHTML as it is more secure than HTMLEditFormat?</p>
<p>The post <a rel="nofollow" href="https://coldfusion.adobe.com/2019/08/encodeforhtml-vs-htmleditformat/">EncodeForHTML vs. HTMLEditFormat</a> appeared first on <a rel="nofollow" href="https://coldfusion.adobe.com">ColdFusion</a>.</p>
Labels: ColdFusion, Language Enhancement, Question, language enhancement, question, security


Yes, there is indeed far more benefit to that than the very old htmleditformat (which only encoded a few characters). And more than just using encodeforhtml, consider also the related functions also added with it in CF10 (encodeforurl, encodeforjavascript, etc.), and/or their member function equivalents added in CF2016. These all perform encoding based on the OWASP ESAPI project. As you posted <a href="https://coldfusion.adobe.com/2019/08/input-validation-avoid-xss/">another question at the same time</a>, and I had already answered that in more detail, with links to references, I would point you (and readers of this) to that for more on the encodefor features and their benefits.
Comment by Charlie Arehart
2228 | August 06, 2019 03:50:08 PM GMT