OpenWGA 7.10 - WebTML reference
WebTML tags » [All tags]<tml:[All tags] encode ="encoder[, encoder, ...]">
Purpose:
Description:
WebTML encoders have names that are specified as value for this attribute. Some are preinstalled in OpenWGA, like "html" which converts plaintext to HTML code. Others may be installed in addition as OpenWGA plugins.
OpenWGA designs can specify "default encoders" which then are automatically used on those tags putting out dynamic input (those most vulnerable to code injection), like <tml:item>, <tml:metadata>, <tml:input> and <tml:urlparameter>. You can stzill use the encode attribute on these tags to use a different encoder than configured by the design.
You can specify mutiple encoders by comma-separating them. The tag result is then encoded in the order that the encoders are specified. Each encoder gets the result of the previous encoder as text input.
Value(s):
none: No encoding
concise: Like "oneline", but additionally converts tabs to spaces and assures that there are no multiple spaces in a line, compressing them to a single space.
crlf: Ensures that before each linefeed character there is a carriage return character
html|xml: Basically converts plain text to HTML code. All line feeds are converted to HTML line breaks. All reserved characters in HTML/XML, like "<", ">" and "&" are converted to HTML entities (which lets HTML code that was already contained in the plaintext input be displayed rather than rendered). All special characters with an ASCII code > 127 are converted to unicode entities. Also, all single quotes are converted to the corresponding HTML entities if the design is of compatibility version 6.2 or higher.
javascript: Escapes all JavaScript string delimiters and removes <script> tags, so the result can be used as the contents of a JavaScript string
json: Like "javascript", but also respects special rules for valid JSON data serialisation format. For example: single quotes are not encoded as they are not allowed as string delimiters in JSON.
np: Converts a text to be usable as unique name part inside a context expression (see context expression "np:" on attribute context). Essentially converts dots and slashes to underscores and lowercases everything. Use this when constructing document unique names that should be navigatable via nameparts.
oneline: Removes all linefeeds and carriage returns from a text, compressing it to a single line. The characters are converted to a space if there is no whitespace directly before/after it.
plaintext: Converts HTML/XML into plaintext, by removing the tags and converting HTML entities back into their original characters.
rtf: Used to put out OpenWGA richtext fields and resolve their dynamic parts. This editor is implicitly chosen on tag <tml:item> with attribute editor="rtf". If you want to put out richtext content on other tags you should use this encoder.
url: Performs standard URL encoding on the text, replacing all characters that need to be escaped for usage inside URLs to "%charcode"-Expressions, adhering to the rules of "application/x-www-form-urlencoded" format. It uses the OpenWGA standard encoding to determine charcodes. Do not use to encode complete URLs but rather strings that need to be used as URL parts like paths or query parameter names and values.
urlquery: Performs standard URL encoding, just like "url", but treats the content as being part of the URL query string - URL parameter names or values - where slightly other rules are to be applied.
customencoder: Some custom encoder that may be available because of an OpenWGA plugin.Examples:
This
is a
Text put out by <tml:item>
This plain text will be shown in the browser as follows:
This is a text put out by
The carriage returns would not be displayed as HTML ignores them. The "<tml:item>" would be interpreted as HTML tag - an unknown one - and also ignored.
But if you "html"-encode the text on output:
<tml:item name="textitem" encode="html"/>
Then OpenWGA will convert the carriage returns to <br> tags and escape the "<" and ">" signs, resulting in the following HTML code:
This<br>is a<br>Text put out by <tml:item>
The result will be that the text is shown in the browser just like it is seen in plain text.