esapiEncode
Scattered throughout this section, and throughout the default theme that ships with Mura, you'll find references to a special method called esapiEncode
. This method is used to encode a given string for safe output to stop Cross Site Scripting attacks. You can safely use this method in Mura, even though it has not been fully implemented in all available CFML engines yet.
Function Syntax
esapiEncode( encodeFor, string )
Parameters
Parameter | Type | Req/Opt | Default | Description |
---|---|---|---|---|
encodeFor | string | Required |
encode for what, valid values are:
|
|
string | string | Required |
string to encode |
Usage
We highly recommend to use this function whenever outputting user-entered text. For example, content managers enter text into Mura fields such as the Title, Credits, Meta Description, Meta Keywords, etc. Wherever you output these fields in your layout templates, be sure to pass the field in as the string to encode.
Example
The following example encodes a content item's "Title" for output inside of standard HTML heading tags.
<cfoutput> <h2>#esapiEncode('html', m.content('title'))#</h2> </cfoutput>