Use ESAPIEncode() or EncodeForHTML() in Lucee 4.5 vs. Lucee 5?

dev google-group-archive
1

Hi,

at the moment I use XMLFormat() to encode user output in my views on Lucee
4.5.

Would it be better to user ESAPIEncode(‘HTML’,string) in Lucee 4.5, because
EncodeForHTML() is deprecated?

But what’s recommended for Lucee 5? I read somewhere EncodeForHTML() will
be reactivated in Lucee 5?
Confused.

Thorsten

2

Hi Thorsten,

I was also confused, see this thread:
https://groups.google.com/forum/#!topic/lucee/90xgx_wnVs4

-HarryVon: thorsteneilers via Lucee [mailto:lucee@googlegroups.com]
Gesendet: Montag, 11. April 2016 10:28
An: Lucee lucee@googlegroups.com
Betreff: [Lucee] Use ESAPIEncode() or EncodeForHTML() in Lucee 4.5 vs. Lucee 5?

Hi,

at the moment I use XMLFormat() to encode user output in my views on Lucee 4.5.

Would it be better to user ESAPIEncode(‘HTML’,string) in Lucee 4.5, because EncodeForHTML() is deprecated?

But what’s recommended for Lucee 5? I read somewhere EncodeForHTML() will be reactivated in Lucee 5?
Confused.

Thorsten

Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.commailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.commailto:lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/4f29ce9b-20f5-4967-99f9-b4fa082ea724%40googlegroups.comhttps://groups.google.com/d/msgid/lucee/4f29ce9b-20f5-4967-99f9-b4fa082ea724%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.

3

it would be nice to have a less verbose shortcut like underscore templates
i.e. <%=output_var_unescaped %> and <%-output_var_escaped %>
for traditional CFML with #'sOn Mon, Apr 11, 2016 at 6:30 PM, Harry Klein <@Harry_Klein> wrote:

Hi Thorsten,

I was also confused, see this thread:

Redirecting to Google Groups

-Harry

Von: thorsteneilers via Lucee [mailto:lucee@googlegroups.com]
Gesendet: Montag, 11. April 2016 10:28
An: Lucee lucee@googlegroups.com
Betreff: [Lucee] Use ESAPIEncode() or EncodeForHTML() in Lucee 4.5 vs.
Lucee 5?

Hi,

at the moment I use XMLFormat() to encode user output in my views on Lucee
4.5.

Would it be better to user ESAPIEncode(‘HTML’,string) in Lucee 4.5,
because EncodeForHTML() is deprecated?

EncodeForHTML() :: Lucee Documentation

ESAPIEncode() :: Lucee Documentation

But what’s recommended for Lucee 5? I read somewhere EncodeForHTML() will
be reactivated in Lucee 5?

Confused.

Thorsten


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/4f29ce9b-20f5-4967-99f9-b4fa082ea724%40googlegroups.com
https://groups.google.com/d/msgid/lucee/4f29ce9b-20f5-4967-99f9-b4fa082ea724%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/F5A941E045A6FE4288ABB2E3D797146FA7482119%40SRV-DC1.contens.local
https://groups.google.com/d/msgid/lucee/F5A941E045A6FE4288ABB2E3D797146FA7482119%40SRV-DC1.contens.local?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.


Zac Spitzer
+61 405 847 168

4

Wouldn’t CFML be less verbose as you can use as few cfoutput blocks as you
like?
For example, in my CMS detail template I have just one cfoutput block with
up to 15 variables that just have # surrounding it.

5

I would use encodeForHTML for several reasons:

  1. ESAPIEncode will be deprecated in Lucee 5 (according to Brad Wood’s post
    on the forum which Harry Klein posted a link to)
  2. encodeForHTML is supported by both Lucee and ACF
  3. The function name encodeForHTML is much more readable and clear as to
    what its purpose is, than ESAPIEncode(“html”, v).

FYI ACF2016 has added are there any plans for
supporting this in Lucee?–
Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Mon, Apr 11, 2016 at 4:27 AM, thorsteneilers via Lucee < lucee@googlegroups.com> wrote:

Hi,

at the moment I use XMLFormat() to encode user output in my views on Lucee
4.5.

Would it be better to user ESAPIEncode(‘HTML’,string) in Lucee 4.5,
because EncodeForHTML() is deprecated?

EncodeForHTML() :: Lucee Documentation
ESAPIEncode() :: Lucee Documentation

But what’s recommended for Lucee 5? I read somewhere EncodeForHTML() will
be reactivated in Lucee 5?
Confused.

Thorsten


Love Lucee? Become a supporter and be part of the Lucee project today! -
http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/4f29ce9b-20f5-4967-99f9-b4fa082ea724%40googlegroups.com
https://groups.google.com/d/msgid/lucee/4f29ce9b-20f5-4967-99f9-b4fa082ea724%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

6

Added [LDEV-817] - Lucee https://luceeserver.atlassian.net/browse/LDEV-817

MD> On 13 Apr 2016, at 16:03, Brad Wood <@Brad_Wood> wrote:

FYI ACF2016 has added are there any plans for supporting this in Lucee?

Nice feature, I hadn’t heard about that one. Someone just needs to put in a ticket for it. What will be cool is that on Lucee, you could set that to be your default for the cfoutput tag if you wished in Application.cfc.

Thanks!

~Brad


Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html http://lucee.org/supporters/become-a-supporter.html

You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com mailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com mailto:lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/ecc85983-41d5-45f3-862f-b7a6384acb83%40googlegroups.com https://groups.google.com/d/msgid/lucee/ecc85983-41d5-45f3-862f-b7a6384acb83%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout.

7

FYI ACF2016 has added are there any plans for
supporting this in Lucee?

Nice feature, I hadn’t heard about that one. Someone just needs to put in
a ticket for it. What will be cool is that on Lucee, you could set that to
be your default for the cfoutput tag if you wished in Application.cfc.

Thanks!

~Brad