esapiEncode - Mura Docs v7.0


Scattered throughout this section, and throughout the default theme that ships with Mura, you'll find references to a special method called esapiEncode. This method is used to encode a given string for safe output to stop Cross Site Scripting attacks. You can safely use this method in Mura, even though it has not been fully implemented in all available CFML engines yet.

Function Syntax

esapiEncode( encodeFor, string )


Parameter Type Req/Opt Default Description
encodeFor string Required  

encode for what, valid values are:

  • css: for output inside Cascading Style Sheets (CSS)
  • dn: for output in LDAP Distinguished Names
  • html: for output inside HTML
  • html_attr: for output inside HTML Attributes
  • javascript: for output inside Javascript
  • ldap: for output in LDAP queries
  • url: for output in URL
  • vbscript: for output inside vbscript
  • xml: for output inside XML
  • xml_attr: for output inside XML Attributes
  • xpath: for output in XPath
string string Required  

string to encode


We highly recommend to use this function whenever outputting user-entered text. For example, content managers enter text into Mura fields such as the Title, Credits, Meta Description, Meta Keywords, etc. Wherever you output these fields in your layout templates, be sure to pass the field in as the string to encode.


The following example encodes a content item's "Title" for output inside of standard HTML heading tags.

<h2>#esapiEncode('html', m.content('title'))#</h2>