ESAPIEncode - Mura Docs v6


Scattered throughout this section, and throughout the default theme that ships with Mura, you'll find references to a special method called esapiEncode. This method is used to encode a given string for safe output to stop Cross Site Scripting attacks. You can safely use this method in Mura, even though it has not been fully implemented in all available CFML engines yet. We highly recommend you utilize this method where appropriate. For example, text that has been entered into a textbox or textarea form field by an end user or content manager. Refer to the use cases in this section for detailed examples.

Function Syntax

esapiEncode( encodeFor, string )


Parameter Description
(string, required)

encode for what, valid values are:

  • css: for output inside Cascading Style Sheets (CSS)
  • dn: for output in LDAP Distinguished Names
  • html: for output inside HTML
  • html_attr: for output inside HTML Attributes
  • javascript: for output inside Javascript
  • ldap: for output in LDAP queries
  • url: for output in URL
  • vbscript: for output inside vbscript
  • xml: for output inside XML
  • xml_attr: for output inside XML Attributes
  • xpath: for output in XPath
(string, required)

string to encode