Character escaping

The character escaping functions $esc.html and $esc.xml can be applied to content in order to generate valid XML and HTML output.

Character escaping for HTML output

Some characters in HTML must be escaped in order to generate valid HTML output. For example:

•	& – escape sequence &

•	< – escape sequence &lt;

•	> – escape sequence >

You can escape characters manually, for example by typing > instead of > when you write your template. You can also use the $esc.html function to escape characters. Use the following syntax:

$esc.html(<string>)

The <string> argument is a sequence of characters. You can use variables.

This function will automatically replace characters in the string with the corresponding escape sequences. For example, if you type $esc.html('The <p> tag') in your template, the output will be The &lt;p&gt; tag. You will get the same result if you use a variable as argument:

#set($variable='The <p> tag')

$esc.html($variable)

Character escaping for XML output

Character escaping for XML is almost identical to character escaping for HTML. The difference is that you use the $esc.xml function to escape characters. The following five characters must be escaped in order to generate valid XML output:

•	& – escape sequence &

•	< – escape sequence &lt;

•	> – escape sequence >

•	‘ – escape sequence '

•	" – escape sequence "

Example 82

Template example

Template

#set($var='<div> start tag, </div> end tag.')
<html>
<body>
<p>Escape var: $esc.html($var)</p>
<p>No escape: $var</p>
<p>Escape string: $esc.html('The <p> tag')</p>
</body>
</html>

Output (source):

<html>
<body>
<p>Escape var: &lt;div&gt; start tag, &lt;/div&gt; end tag.</p>
<p>No escape: <div> start tag, </div> end tag.</p>
<p>Escape string: The &lt;p&gt; tag </p>
</body>
</html>

Output (browser):

Escape var: <div> start tag, </div> end tag.
No escape:
start tag,
end tag. 
Escape string: The <p> tag