问题
In an earlier question encodeForHtml() vs htmlEditFormat(), how are they different, it seems like the new encodeForHtml() & encodeForURL() functions are superior to htmlEditFormat() & urlFormat() respectively.
Should the esapi-based encodeForXXX functions be used in favor of the existing ones? Should the 2 older functions be deprecated?
Thank you.
回答1:
I have no idea if the two older functions would be deprecated. But I would say that using the new functions would be a good idea, unless you need to support backward compatibility.
回答2:
The new functions cover all the territory the old functions did, plus they are more "aware" of more recent potential risks in incompletely escaped mark-up. I see no reason to use the old functions given the existence of the new functions.
As for deprecation, I'm all for it. If encodeForHtml() - for example - is better / more secure that htmlEditFormat(), then it is at best poor form to not flag the latter as obsolete and that the new function should be used instead. At worst it's negligent not to do so.
I would urge Adobe to mark htmlEditFormat() etc as deprecated in the docs, and advise why. I would not suggest they take it any further than deprecation at this point though.
回答3:
New in ColdFusion 11
Deprecated
The
HTMLEditFormat()function has [been] deprecated.
来源:https://stackoverflow.com/questions/10604987/should-encodeforhtml-encodeforurl-be-used-from-cf10-onward-in-favor-of-ht