Saw a comment today at: http://www.bennadel.com/blog/2004-Escaping-Form-Values-Understanding-The-ColdFusion-htmlEditFormat-Life-Cycle.htm by Rick Osborne
I've started moving my students from
htmlEditFormatover toxmlFormat. As you said, it catches more characters, but it's also useful for pure XML and is faster to type. I haven't been able to come up with a compelling reason to stick with htmlEditFormat.
Should we all start using XmlFormat()?  Can you think of a "compelling reason" other than maybe slightly slower in performance?
UPDATE: the below answer is no longer relevant. What i've noticed by using XMLFormat() over HTMLEditFormat() is that IE doesn't interpret the ' and thus causing havoc.
in my opinion, if it catches more (such as single quotes that Jason Dean pointed out) thus making your app safer, then i'll eat the performance hit. in all reality, how much of a performance hit could it possible be... 1 or 2ms?
in the upcoming cfwheels 1.1 release, i added an h() method that was a wrapper for the htmleditformat() method. after reading both ben's and this post, i'm going to be switching it over to use XMLFormat() instead.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With