Encode/Decode
Used to prevent XSS, these functions use the ESAPI (Enterprise Security API) library to safely handle user input.
https://github.com/lucee/extension-esapi
Functions
- Canonicalize()
Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form. This is important, because attackers frequently use encoding to change their input in a way that will bypass validation filters, but still be interpreted properly by the target of the attack. Note that data encoded more than once is not something that a normal user would generate and should be regarded as an attack
- DecodeForHtml()
Decodes the given encoded string.
- DecodeFromURL()
Decodes a string that has been encoded in the URL using the encodeForURL. this function is deprecated, use function ESAPIDecode('url',...) instead.
- EncodeForCSS()
Encodes the given string for safe output in CSS to reduce the risk of Cross Site Scripting attacks.
- EncodeForDN()
Encodes the given string for safe output in LDAP Distinguished Names.
- EncodeForHTML()
Encodes the given string for safe output in HTML to reduce the risk of Cross Site Scripting attacks.
- EncodeForHTMLAttribute()
Encodes the given string for safe output in HTML to reduce the risk of Cross Site Scripting attacks.
- EncodeForJavaScript()
Encodes the given string for safe output in JavaScript to reduce the risk of Cross Site Scripting attacks.
- EncodeForLDAP()
Encodes the given string for safe output in LDAP queries.
- EncodeForSQL()
Encodes the given string for safe output in a query to reduce the risk of SQL Injection attacks. This method is not recommended - the use of query parameters are strongly encouraged as a stronger alternative.
- EncodeForURL()
Encodes the given string for safe output in a URL.
- EncodeForXML()
Encodes the given string for safe output in XML to reduce the risk of Cross Site Scripting attacks.
- EncodeForXMLAttribute()
Encodes the given string for safe output in XMLAttribute to reduce the risk of Cross Site Scripting attacks.
- EncodeForXPath()
Encodes the given string for safe use in an XPath Query.
- ESAPIDecode()
Decodes a string that has been encoded with ESAPIEncode.
- ESAPIEncode()
Encodes the given string for safe output to reduce the risk of Cross Site Scripting attacks.
- HTMLEditFormat()
Replaces special characters in a string with their HTML-escaped equivalents. [version] HTML version to use. currently ignored. -1: The latest implementation of HTML 2.0: HTML 2.0 (Default) 3.2: HTML 3.2 4.0: HTML 4.0
- Sanitize()
Detects and masks sensitive information (such as passwords, API keys, tokens, etc.) from a given string. The function identifies patterns commonly used for sensitive data and replaces them with a mask.
- SanitizeHtml()
Sanitizes unsafe HTML input and removes elements and attributes like JavaScript, onclick, etc. See also https://github.com/OWASP/java-html-sanitizer
- ToBase64()
Calculates the Base64 representation of a string or binary object.
- ToBinary()
Calculates the binary representation of Base64-encoded data.
- URLDecode()
Decodes a URL-encoded string, converting encoded characters back to their original form. This function handles URL encoding conventions such as converting plus signs (
+
) to spaces and percent-encoded sequences (%xx
) to their corresponding characters. The function throws an exception when encountering malformed URL encodings (such as incomplete or invalid percent sequences like%G
) - URLEncode()
Encodes a string to be URL-safe according to the application/x-www-form-urlencoded MIME format
- URLEncodedFormat()
Generates a URL-encoded string. For example, it replaces spaces with %20, and non-alphanumeric characters with equivalent hexadecimal escape sequences. Passes arbitrary strings within a URL.
Methods
- string.decodeForHTML()
Decodes the given encoded string.
- string.decodeFromURL()
Decodes a string that has been encoded in the URL using the encodeForURL. this function is deprecated, use function ESAPIDecode('url',...) instead.
- string.encodeForCSS()
Encodes the given string for safe output in CSS to reduce the risk of Cross Site Scripting attacks.
- string.encodeForDN()
Encodes the given string for safe output in LDAP Distinguished Names.
- string.encodeForHTML()
Encodes the given string for safe output in HTML to reduce the risk of Cross Site Scripting attacks.
- string.encodeForHTMLAttribute()
Encodes the given string for safe output in HTML to reduce the risk of Cross Site Scripting attacks.
- string.encodeForJavascript()
Encodes the given string for safe output in JavaScript to reduce the risk of Cross Site Scripting attacks.
- string.encodeForLDAP()
Encodes the given string for safe output in LDAP queries.
- string.encodeForSQL()
Encodes the given string for safe output in a query to reduce the risk of SQL Injection attacks. This method is not recommended - the use of query parameters are strongly encouraged as a stronger alternative.
- string.encodeForURL()
Encodes the given string for safe output in a URL.
- string.encodeForXML()
Encodes the given string for safe output in XML to reduce the risk of Cross Site Scripting attacks.
- string.encodeForXMLAttribute()
Encodes the given string for safe output in XMLAttribute to reduce the risk of Cross Site Scripting attacks.
- string.encodeForXPath()
Encodes the given string for safe use in an XPath Query.
- string.sanitizeHTML()
Sanitizes unsafe HTML input and removes elements and attributes like JavaScript, onclick, etc. See also https://github.com/OWASP/java-html-sanitizer