Escaping and unescaping HTML

Question

In a function I do not control, data is being returned via

return xmlFormat(rc.content)

I later want to do a

<cfoutput>#resultsofreturn#</cfoutput>

The problem is all the HTML tags are escaped.

I have considered

<cfoutput>#DecodeForHTML(resultsofreturn)#</cfoutput>

But I am not sure these are inverses of each other

Answer 1

Like Adrian concluded, the best option is to implement a system to get to the pre-encoded value.

In the current state, the string your working with is encoded for an xml document. One option is to create an xml document with the text and parse the text back out of the xml document. I'm not sure how efficient this method is, but it will return the text back to it's pre-encoded value.

function xmlDecode(text){
    return xmlParse("<t>#text#</t>").t.xmlText;
}

TryCF.com example

Answer 2

As of CF 10, you should be using the newer encodeFor functions. These functions account for high ASCII characters as well as UTF-8 characters.

Old and Busted

• XmlFormat()
• HTMLEditFormat()
• JSStringFormat()

New Hotness

• encodeForXML()
• encodeForXMLAttribute()
• encodeForHTML()
• encodeForHTMLAttribute()
• encodeForJavaScript()
• encodeForCSS()

The output from these functions differs by context.

Then, if you're only getting escaped HTML, you can convert it back using Jsouo or the Jakarta Commons Lang library. There are some examples in a related SO answer.

Obviously, the best solution would be to update the existing function to return either version of the content. Is there a way to copy that function in order to return the unescaped content? Or can you just call it from a new function that uses the Java solution to convert the HTML?