How do I preserve '<' and '>' in my output?

Report · Apr 05, 2010

CF8, SQL Server, Windows Server

When I print the contents of a text field that contains a '<' or a '>'. the output truncates. The part that I find odd is as follows:

"Administer Meds if pain level <2 on the pain scale" truncates after the <.

"Administer Meds if pain level < 2 on the pain scale" prints the entire content, note the SPACE after the <.

Since the input fields are free text, I can't guarantee that tne end users will ALWAYS put a space after these characters.

My output code is as simple as follows: <td>#GetOIG.Goals#</td>

I presume this has to do with the <> characters traditionally being part of the opening and closing of the td tags, but this is just a guess. I inherited this project, and this issue is just being brought to my attention.

Report · Apr 05, 2010

When displaying it, use htmlEditFormat().

http://livedocs.adobe.com/coldfusion/8/htmldocs/functions_h-im_04.html#4744272

--

Adam

Report · Apr 05, 2010

Correct, you need to escape the angle brackets so that the HTML parser in the browser does not try to parse them as tags.

You escape them with these HTML entities < >

ColdFusion provides two nice functions, htmlEditFormat() and htmlCodeFormat() that will automatically escape all HTML charaters that need to be, such as angle brackets.

I.E.

<td>#htmlEditFormat(GetOIG.Goals)#</td>

Check the documentation for the full description on these and other ColdFusion formating functions.

Report · Apr 05, 2010

Thanks guys. I cant believe after all these years that I have not encountered this situation before. Since this is a medical application, clients are entering the "less than" and "greater than" symbols all the time and it is tripping up this one app. It does not throw an error, of course, and since people dont READ anything anymore nobody has noticed that it is truncating!

Report · Apr 05, 2010

What you should do in this case is to allow them to enter the "<"and ">" marks as-usual, then use HTMLEditFormat() during the output of those fields so that what actually winds-up being sent to the browser is the corresponding meta-characters, "<" and ">".

The characters "<" and ">" will be entered, and they will be stored in the database in their literal form, but when outputting the values, they are escaped. The user's browser can no longer be confused as to what it is receiving ... "what is HTML and what is not." It will interpret the characters properly and output the text just as the user originally entered it.