Use ESAPIEncode() or EncodeForHTML() in Lucee 4.5 vs. Lucee 5?
64 views
Skip to first unread message
thorste...@googlemail.com
Apr 11, 2016, 4:27:43 AM4/11/16
to Lucee
Hi,
at the moment I use XMLFormat() to encode user output in my views on Lucee 4.5.
Would it be better to user ESAPIEncode('HTML',string) in Lucee 4.5, because EncodeForHTML() is deprecated?
But what's recommended for Lucee 5? I read somewhere EncodeForHTML() will be reactivated in Lucee 5?
Confused.
Thorsten
Harry Klein
Apr 11, 2016, 4:31:03 AM4/11/16
to lu...@googlegroups.com
Hi Thorsten,
I was also confused, see this thread:
https://groups.google.com/forum/#!topic/lucee/90xgx_wnVs4
-Harry
--
Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/4f29ce9b-20f5-4967-99f9-b4fa082ea724%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Zac Spitzer
Apr 11, 2016, 4:39:18 AM4/11/16
to lu...@googlegroups.com
it would be nice to have a less verbose shortcut like underscore templates
i.e. <%=output_var_unescaped %> and <%-output_var_escaped %>
for traditional CFML with #'s
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/F5A941E045A6FE4288ABB2E3D797146FA7482119%40SRV-DC1.contens.local.
Risto
Apr 12, 2016, 11:39:49 AM4/12/16
to Lucee
Wouldn't CFML be less verbose as you can use as few cfoutput blocks as you like?
For example, in my CMS detail template I have just one cfoutput block with up to 15 variables that just have # surrounding it.
For example, in my CMS detail template I have just one cfoutput block with up to 15 variables that just have # surrounding it.
Pete Freitag
Apr 12, 2016, 12:04:22 PM4/12/16
to lu...@googlegroups.com
I would use encodeForHTML for several reasons:
https://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner
1) ESAPIEncode will be deprecated in Lucee 5 (according to Brad Wood's post on the forum which Harry Klein posted a link to)
2) encodeForHTML is supported by both Lucee and ACF
3) The function name encodeForHTML is much more readable and clear as to what its purpose is, than ESAPIEncode("html", v).
FYI ACF2016 has added <cfoutput encodeFor="html"> are there any plans for supporting this in Lucee?
--
Pete Freitaghttps://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner
--
Brad Wood
Apr 13, 2016, 11:03:37 AM4/13/16
to Lucee, pe...@foundeo.com
> FYI ACF2016 has added <cfoutput encodeFor="html"> are there any plans for supporting this in Lucee?
Nice feature, I hadn't heard about that one. Someone just needs to put in a ticket for it. What will be cool is that on Lucee, you could set that to be your default for the cfoutput tag if you wished in Application.cfc.
Thanks!
~Brad
Mark Drew
Apr 13, 2016, 11:25:34 AM4/13/16
to lucee
--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/ecc85983-41d5-45f3-862f-b7a6384acb83%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages