URL encoding is not character/entity encoding.
This should go without saying, but I frequently see this confused by experienced developers, especially when working with dynamic/loosely typed languages.
decodeURIComponent(). In ColdFusion, you can use the
URLDecode() functions. PHP provides
rawurlencode() and their decode counterparts.
Entity encoding is used for representing characters in a document that lie outside of the document character set or have a special meaning within the document. For example In XML, &, <,>,”,and ‘ have to be encoded as entities (‘
>, etc.) in the document source code. Typically, characters outside of “low” ASCII need to be encoded as well. In client-side code, you typically need not worry about entity-encoding. You’re working with a DOM, not document source code, so entity expansion/subsitituion has already been done.
ColdFusion is a little tricky on this one. There is no equivalent to PHP’s
htmlentities. You basically have two options,
XMLFormat. The former will encode characters with special meanings, but it misses high-ASCII (and higher). The latter will encode high-ASCII, but will not use special HTML entity names. It’s for (the more generic) XML after all.
XMLFormat escapes characters using character entity references.
The concept applies outside of this concrete example, but this is the example that led me to channel my angst into what I hope is a helpful guide post for others. In fact, you’ll notice that two paragraphs above, Word Press has transformed my double and single quotes to right-double and left-single quotes, respectively. What are some other escaping/transforming pitfalls you’ve seen?