-
Notifications
You must be signed in to change notification settings - Fork 137
Home
For all the examples below, we use {{{ }}} to indicate output expression to ease illustrations
-
This filter is to be placed in HTML Comment context to disable any attempts in closing the html comment state
Notice: --> and --!> are the syntaxes to close html comment state, while string that ends with -, --, or --! will also enable state closing if the variable is externally suffixed with -> or >. ']>' and string that ends with ']' are changed to '] >' and '] ' to disable Internet Explorer conditional comments, which are actually not part of the HTML 5 standard.
Name Type Description s
string An untrusted user input
The string s with '-->', '--!>', ']>' respectively replaced with '-- >', '--! >', '] >'. In addition, a space is appened to those string s that ends with '-', '--', '--!', and ']'.
- Type
- string
// output context to be applied by this filter. <!-- {{{inHTMLComment html_comment}}} -->
-
This filter is to be placed in HTML Data context to encode all '<' characters into '<'
Name Type Description s
string An untrusted user input
The string s with '<' encoded as '<'
- Type
- string
// output context to be applied by this filter. <textarea>{{{inHTMLData html_data}}}</textarea>
-
Warning: This is NOT designed for any onX (e.g., onclick) attribtues!
Warning: If you're working on URI/components, use the more specific uri___InDoubleQuotedAttr filter
This filter is to be placed in HTML Attribute Value (double-quoted) state to encode all single-quote characters into '&"'Name Type Description s
string An untrusted user input
The string s with any single-quote characters encoded into '&"'.
- Type
- string
// output context to be applied by this filter. <input name="firstname" value="{{{inDoubleQuotedAttr firstname}}}" />
-
Warning: This is NOT designed for any onX (e.g., onclick) attribtues!
Warning: If you're working on URI/components, use the more specific uri___InSingleQuotedAttr filter
This filter is to be placed in HTML Attribute Value (single-quoted) state to encode all single-quote characters into '&''Name Type Description s
string An untrusted user input
The string s with any single-quote characters encoded into '&''.
- Type
- string
// output context to be applied by this filter. <input name='firstname' value='{{{inSingleQuotedAttr firstname}}}' />
-
Warning: This is NOT designed for any onX (e.g., onclick) attribtues!
Warning: If you're working on URI/components, use the more specific uri___InUnQuotedAttr filter
This filter is to be placed in HTML Attribute Value (unquoted) state to encode tab, LF, FF, space, and '>' into their equivalent HTML entity representations.Name Type Description s
string An untrusted user input
The string s with any tab, LF, FF, space, and '>' encoded.
- Type
- string
// output context to be applied by this filter. <input name="firstname" value={{{inUnQuotedAttr firstname}}} />
-
This filter is to be placed in HTML Comment state for an absolute URI.
Notice: This filter is IPv6 friendly by not encoding '[' and ']'.
Name Type Description s
string An untrusted user input, supposedly an absolute URI
The string s encoded by window.encodeURI(), and finally inHTMLComment()
- Type
- string
// output context to be applied by this filter. <!-- {{{uriInHTMLComment full_uri}}} -->
-
This filter is to be placed in HTML Data state for an absolute URI.
Notice: The actual implmentation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURI().
Notice: This filter is IPv6 friendly by not encoding '[' and ']'.
Name Type Description s
string An untrusted user input, supposedly an absolute URI
The string s encoded by window.encodeURI() and then inHTMLData()
- Type
- string
// output context to be applied by this filter. <a href="/somewhere">{{{uriInHTMLData full_uri}}}</a>
-
This filter is to be placed in HTML Attribute Value (double-quoted) state for an absolute URI.
The correct order of encoders is thus: first window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script executionNotice: This filter is IPv6 friendly by not encoding '[' and ']'.
Name Type Description s
string An untrusted user input, supposedly an absolute URI
The string s encoded first by window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution
- Type
- string
// output context to be applied by this filter. <a href="{{{uriInDoubleQuotedAttr full_uri}}}">link</a>
-
This filter is to be placed in HTML Attribute Value (single-quoted) state for an absolute URI.
The correct order of encoders is thus: first window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script executionNotice: This filter is IPv6 friendly by not encoding '[' and ']'.
Name Type Description s
string An untrusted user input, supposedly an absolute URI
The string s encoded first by window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution
- Type
- string
// output context to be applied by this filter. <a href='{{{uriInSingleQuotedAttr full_uri}}}'>link</a>
-
This filter is to be placed in HTML Attribute Value (unquoted) state for an absolute URI.
The correct order of encoders is thus: first the built-in encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script executionNotice: This filter is IPv6 friendly by not encoding '[' and ']'.
Name Type Description s
string An untrusted user input, supposedly an absolute URI
The string s encoded first by window.encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution
- Type
- string
// output context to be applied by this filter. <a href={{{uriInUnQuotedAttr full_uri}}}>link</a>
-
This filter is to be placed in HTML Comment state for a URI Path/Query or relative URI.
Name Type Description s
string An untrusted user input, supposedly a URI Path/Query or relative URI
The string s encoded by window.encodeURI(), and finally inHTMLComment()
- Type
- string
// output context to be applied by this filter. <!-- http://example.com/{{{uriPathInHTMLComment uri_path}}} --> <!-- http://example.com/?{{{uriQueryInHTMLComment uri_query}}} -->
-
This filter is to be placed in HTML Data state for a URI Path/Query or relative URI.
Notice: The actual implmentation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURI().
Name Type Description s
string An untrusted user input, supposedly a URI Path/Query or relative URI
The string s encoded by window.encodeURI() and then inHTMLData()
- Type
- string
// output context to be applied by this filter. <a href="http://example.com/">http://example.com/{{{uriPathInHTMLData uri_path}}}</a> <a href="http://example.com/">http://example.com/?{{{uriQueryInHTMLData uri_query}}}</a>
-
This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script executionName Type Description s
string An untrusted user input, supposedly a URI Path/Query or relative URI
The string s encoded first by window.encodeURI(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution
- Type
- string
// output context to be applied by this filter. <a href="http://example.com/{{{uriPathInDoubleQuotedAttr uri_path}}}">link</a> <a href="http://example.com/?{{{uriQueryInDoubleQuotedAttr uri_query}}}">link</a>
-
This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script executionName Type Description s
string An untrusted user input, supposedly a URI Path/Query or relative URI
The string s encoded first by window.encodeURI(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution
- Type
- string
// output context to be applied by this filter. <a href='http://example.com/{{{uriPathInSingleQuotedAttr uri_path}}}'>link</a> <a href='http://example.com/?{{{uriQueryInSingleQuotedAttr uri_query}}}'>link</a>
-
This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Path/Query or relative URI.
The correct order of encoders is thus: first the built-in encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script executionName Type Description s
string An untrusted user input, supposedly a URI Path/Query or relative URI
The string s encoded first by window.encodeURI(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution
- Type
- string
// output context to be applied by this filter. <a href=http://example.com/{{{uriPathInUnQuotedAttr uri_path}}}>link</a> <a href=http://example.com/?{{{uriQueryInUnQuotedAttr uri_query}}}>link</a>
-
This is an alias of uriPathInHTMLComment
-
This is an alias of uriPathInHTMLData
-
This is an alias of uriPathInDoubleQuotedAttr
-
This is an alias of uriPathInSingleQuotedAttr
-
This is an alias of uriPathInUnQuotedAttr
-
This filter is to be placed in HTML Comment state for a URI Component.
Name Type Description s
string An untrusted user input, supposedly a URI Component
The string s encoded by window.encodeURIComponent(), and finally inHTMLComment()
- Type
- string
// output context to be applied by this filter. <!-- http://example.com/?q={{{uriComponentInHTMLComment uri_component}}} --> <!-- http://example.com/#{{{uriComponentInHTMLComment uri_fragment}}} -->
-
This filter is to be placed in HTML Data state for a URI Component.
Notice: The actual implmentation skips inHTMLData(), since '<' is already encoded as '%3C' by encodeURIComponent().
Name Type Description s
string An untrusted user input, supposedly a URI Component
The string s encoded by window.encodeURIComponent() and then inHTMLData()
- Type
- string
// output context to be applied by this filter. <a href="http://example.com/">http://example.com/?q={{{uriComponentInHTMLData uri_component}}}</a> <a href="http://example.com/">http://example.com/#{{{uriComponentInHTMLData uri_fragment}}}</a>
-
This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Component.
The correct order of encoders is thus: first window.encodeURIComponent(), then inDoubleQuotedAttr()Name Type Description s
string An untrusted user input, supposedly a URI Component
The string s encoded first by window.encodeURIComponent(), then inDoubleQuotedAttr()
- Type
- string
// output context to be applied by this filter. <a href="http://example.com/?q={{{uriComponentInDoubleQuotedAttr uri_component}}}">link</a>
-
This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Component.
The correct order of encoders is thus: first window.encodeURIComponent(), then inSingleQuotedAttr()Name Type Description s
string An untrusted user input, supposedly a URI Component
The string s encoded first by window.encodeURIComponent(), then inSingleQuotedAttr()
- Type
- string
// output context to be applied by this filter. <a href='http://example.com/?q={{{uriComponentInSingleQuotedAttr uri_component}}}'>link</a>
-
This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Component.
The correct order of encoders is thus: first the built-in encodeURIComponent(), then inUnQuotedAttr()Name Type Description s
string An untrusted user input, supposedly a URI Component
The string s encoded first by window.encodeURIComponent(), then inUnQuotedAttr()
- Type
- string
// output context to be applied by this filter. <a href=http://example.com/?q={{{uriComponentInUnQuotedAttr uri_component}}}>link</a>
-
This is an alias of uriComponentInHTMLComment
-
This is an alias of uriComponentInHTMLData
-
This filter is to be placed in HTML Attribute Value (double-quoted) state for a URI Fragment.
The correct order of encoders is thus: first window.encodeURIComponent(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script executionName Type Description s
string An untrusted user input, supposedly a URI Fragment
The string s encoded first by window.encodeURIComponent(), then inDoubleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution
- Type
- string
// output context to be applied by this filter. <a href="http://example.com/#{{{uriFragmentInDoubleQuotedAttr uri_fragment}}}">link</a>
-
This filter is to be placed in HTML Attribute Value (single-quoted) state for a URI Fragment.
The correct order of encoders is thus: first window.encodeURIComponent(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script executionName Type Description s
string An untrusted user input, supposedly a URI Fragment
The string s encoded first by window.encodeURIComponent(), then inSingleQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution
- Type
- string
// output context to be applied by this filter. <a href='http://example.com/#{{{uriFragmentInSingleQuotedAttr uri_fragment}}}'>link</a>
-
This filter is to be placed in HTML Attribute Value (unquoted) state for a URI Fragment.
The correct order of encoders is thus: first the built-in encodeURIComponent(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script executionName Type Description s
string An untrusted user input, supposedly a URI Fragment
The string s encoded first by window.encodeURIComponent(), then inUnQuotedAttr(), and finally prefix the resulted string with 'x-' if it begins with 'javascript:' or 'vbscript:' that could possibly lead to script execution
- Type
- string
// output context to be applied by this filter. <a href=http://example.com/#{{{uriFragmentInUnQuotedAttr uri_fragment}}}>link</a>
- inHTMLComment(s)
- inHTMLData(s)
- inDoubleQuotedAttr(s)
- inSingleQuotedAttr(s)
- inUnQuotedAttr(s)
- uriInHTMLComment(s)
- uriInHTMLData(s)
- uriInDoubleQuotedAttr(s)
- uriInSingleQuotedAttr(s)
- uriInUnQuotedAttr(s)
- uriPathInHTMLComment(s)
- uriPathInHTMLData(s)
- uriPathInDoubleQuotedAttr(s)
- uriPathInSingleQuotedAttr(s)
- uriPathInUnQuotedAttr(s)
- uriQueryInHTMLComment(s)
- uriQueryInHTMLData(s)
- uriQueryInDoubleQuotedAttr(s)
- uriQueryInSingleQuotedAttr(s)
- uriQueryInUnQuotedAttr(s)
- uriComponentInHTMLComment(s)
- uriComponentInHTMLData(s)
- uriComponentInDoubleQuotedAttr(s)
- uriComponentInSingleQuotedAttr(s)
- uriComponentInUnQuotedAttr(s)
- uriFragmentInHTMLComment(s)
- uriFragmentInHTMLData(s)
- uriFragmentInDoubleQuotedAttr(s)
- uriFragmentInSingleQuotedAttr(s)
- uriFragmentInUnQuotedAttr(s)