Home/ Questions/Q 994367
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T06:33:53+00:00

I am populating form variables from a database. If the field value has a

  • 0

I am populating form variables from a database.
If the field value has a double quote in it, such as 3″ for 3 inches, then the html source looks like the following:

<input name="width" value="3"">

Q: How do I handle fields that contain double quotes?

I first thought it was a cfqueryparam problem, but it turns out it’s an html problem.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use HtmlEditFormat when displaying the value.

    Like this:

    <input name="width" value="#HtmlEditFormat(Form.Width)#" />

    There is also:

    XmlFormat for XML output;
    JsStringFormat for JavaScript output;
    UrlEncodedFormat for URL content.

    For more complete/heavyweight stuff, you could consider OWASP’s ESAPI – a Java Security API which can be used from CF and provides the following:

    Context        Method
-------        ------
HTML           esapi.encodeForHTML(variable)
HTML Attribute esapi.encodeForHTMLAttribute(variable)
JavaScript     esapi.encodeForJavaScript(variable)
CSS            esapi.encodeForCSS(variable)
URL            esapi.encodeForURL(variable)

    (from Pete Freitag’s cfunited presentation slides)

    • 0