Lucee Function Reference

guardencode()

This Function is deprecated
Deprecated legacy function. Use context-specific functions (e.g., encodeForHTML) instead.
Encodes data for a specific output context. This is a vital defense against Cross-Site Scripting (XSS) and injection attacks by ensuring characters are treated as data rather than executable code.

Example

guardencode(string encodeFor,string string,[boolean canonicalize,[string dialect]]):string

Category

encode,xss,security,html,javascript,css,url,sql,xml,ldap,xpath

Arguments

The arguments for this function are set. You can not use other arguments except the following ones.
Name Type Required Default Value Description
encodeFor string  Yes   The target output context. Valid values:
  • css: for style sheets
  • dn: for LDAP Distinguished Names
  • html: for HTML body content
  • html_attr: for HTML attributes (e.g., value, title)
  • javascript: for script blocks or event handlers
  • ldap: for LDAP search filters
  • url: for URI components
  • sql: for database query literals
  • vbscript: for legacy VBScript contexts
  • xml: for XML element content
  • xml_attr: for XML attribute values
  • xpath: for XPath query parameters  
    • string string  Yes   The raw string to be encoded.  
    canonicalize boolean  No false If true, simplifies the input (resolving multiple/mixed encoding) before applying the new encoding. This prevents bypass attacks using double-encoding.  
    dialect string  No   Required only if encodeFor is 'sql'. Specifies the database syntax:
    * db2
    * mysql_ansi
    * mysql
    * oracle