htmlEditFormat()? or encodeForHtml()? or ESAPIEncode('html',...)?

Ok, so htmlEditFormat() was deprecated in ACF, see
https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-h-im/htmleditformat.html
“…Note: Adobe recommends that you use the EncodeForHTMLhttps://helpx.adobe.com/content/help/en/coldfusion/cfml-reference/coldfusion-functions/functions-e-g/encodeforhtml.html function, not the HTMLEditFormat function, to escape special characters in a string for use in HTML in all new applications. …”

encodeForHTML() was deprecated in Lucee, see


“…this function is deprecated, use function ESAPIEncode(‘html’,…) instead. …”

ESAPIEncode() is not supported in ACF, see
http://cfdocs.org/esapiencode

What exactly is the difference between ESAPIEncode and encodeForHTML()? (Something like this with a new column ESAPIEncode() would be great: http://damonmiller.github.io/esapi4cf/tutorials/Encoding.html)
I found a bundled esapi.jar in the Lucee lib folder, ESAPI 2.0.1 from 2011-07-25. Is this library used in Lucee by ESAPIEncode?

Cool, I am fascinated – so which function (supported in ACF AND Lucee) should we use now?

Thanks,
Harry

There is no difference at all between ESAPIEncode( ‘HTML’, foo ) and
encodeForHTML( foo ). The former was an attempt to have a single
consolidated function instead of a number of small ones. This decision has
been reversed and in Lucee 5 the encodeForXXX() functions are not
deprecated but the ESAPIEncode() function is.

Use whichever one reads/types the easiest to you. I personally prefer
encodeForXXX().

Thanks!

~Brad

1 Like

6 posts were split to a new topic: Individual encodeForXXX() functions