Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Which one’s correct?
<img src="#encodeForHTMLAttribute(FORM.path)#">
or
<img src="#encodeForURL(FORM.path)#">
or
<img src="#encodeForHTMLAttribute(encodeForURL(FORM.path))#">
?
Use the method(s) which match the context of where you are inserting the text that needs encoding.
encodeForUrl is for placing dynamic text into a URL – so it will replace
/with%2F(and so on), and if you apply it to an entire URL, you will have an encoded URL (which is therefore broken for use in a src attribute).If you are allowing users to supply a partial URL, you would need to split on
/(and any other relevant delimiters), apply encodeForUrl on each part, then join back together again.Note: encodeForUrl appears to pass its string straight to Java, which means backslashes are treated as escape characters –
\b\nencodes to%08%0Ainstead of%5Cb%5Cn– this behaviour is not part of standard URL encoding (nor CF strings in general). To avoid this use the function UrlEncodedFormat instead.encodeForHTMLAttribute is for placing dynamic text into a HTML attribute – it’s purpose is to ensure the contents are treated as text (not parsed as HTML) – it doesn’t know/care whether its contents is a URL or something else.
In summary, you probably want
encodeForHtmlAttribute( UrlEncodedFormat( Form.Path ) )for this situation.