Encode/Decode

Used to prevent XSS, these functions use the ESAPI (Enterprise Security API) library to safely handle user input.

https://github.com/lucee/extension-esapi

Functions

  • Canonicalize()

    Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form. This is important, because attackers frequently use encoding to change their input in a way that will bypass validation filters, but still be interpreted properly by the target of the attack. Note that data encoded more than once is not something that a normal user would generate and should be regarded as an attack

  • DecodeForHtml()

    Decodes the given encoded string.

  • DecodeFromURL()

    Decodes a string that has been encoded in the URL using the encodeForURL. this function is deprecated, use function ESAPIDecode('url',...) instead.

  • EncodeForCSS()

    Encodes the given string for safe output in CSS to reduce the risk of Cross Site Scripting attacks.

  • EncodeForDN()

    Encodes the given string for safe output in LDAP Distinguished Names.

  • EncodeForHTML()

    Encodes the given string for safe output in HTML to reduce the risk of Cross Site Scripting attacks.

  • EncodeForHTMLAttribute()

    Encodes the given string for safe output in HTML to reduce the risk of Cross Site Scripting attacks.

  • EncodeForJavaScript()

    Encodes the given string for safe output in JavaScript to reduce the risk of Cross Site Scripting attacks.

  • EncodeForLDAP()

    Encodes the given string for safe output in LDAP queries.

  • EncodeForSQL()

    Encodes the given string for safe output in a query to reduce the risk of SQL Injection attacks. This method is not recommended - the use of query parameters are strongly encouraged as a stronger alternative.

  • EncodeForURL()

    Encodes the given string for safe output in a URL.

  • EncodeForXML()

    Encodes the given string for safe output in XML to reduce the risk of Cross Site Scripting attacks.

  • EncodeForXMLAttribute()

    Encodes the given string for safe output in XMLAttribute to reduce the risk of Cross Site Scripting attacks.

  • EncodeForXPath()

    Encodes the given string for safe use in an XPath Query.

  • ESAPIDecode()

    Decodes a string that has been encoded with ESAPIEncode.

  • ESAPIEncode()

    Encodes the given string for safe output to reduce the risk of Cross Site Scripting attacks.

  • HTMLEditFormat()

    Replaces special characters in a string with their HTML-escaped equivalents. [version] HTML version to use. currently ignored. -1: The latest implementation of HTML 2.0: HTML 2.0 (Default) 3.2: HTML 3.2 4.0: HTML 4.0

  • Sanitize()

    Detects and masks sensitive information (such as passwords, API keys, tokens, etc.) from a given string. The function identifies patterns commonly used for sensitive data and replaces them with a mask.

  • SanitizeHtml()

    Sanitizes unsafe HTML input and removes elements and attributes like JavaScript, onclick, etc. See also https://github.com/OWASP/java-html-sanitizer

  • ToBase64()

    Calculates the Base64 representation of a string or binary object.

  • ToBinary()

    Calculates the binary representation of Base64-encoded data.

  • URLDecode()

    Decodes a URL-encoded string, converting encoded characters back to their original form. This function handles URL encoding conventions such as converting plus signs (+) to spaces and percent-encoded sequences (%xx) to their corresponding characters. The function throws an exception when encountering malformed URL encodings (such as incomplete or invalid percent sequences like %G)

  • URLEncode()

    Encodes a string to be URL-safe according to the application/x-www-form-urlencoded MIME format

  • URLEncodedFormat()

    Generates a URL-encoded string. For example, it replaces spaces with %20, and non-alphanumeric characters with equivalent hexadecimal escape sequences. Passes arbitrary strings within a URL.

Methods