HTML Line Breaks in Visualforce using Escape=false with Encoding

Using a Visualforce tag with the escape=off option may help send an html tag like a line break to the page. However, escape=off can open cross-site scripting vulnerabilities. Visualforce encoding functions HTMLENCODE, JSENCODE, JSINHTMLENCODE, and URLENCODE help avoid the vulnerabilities, but they also prevent \n new line characters and html tags from showing on the page.

I wanted an html line break <br /> to show on a page, but the JSENCODE function changes brackets into unicode \uC003C and \u003e equivalents. If you’re only expecting line breaks, one way around this is to wrap the SUBSTITUE function around the JSENCODE.

One thought on “HTML Line Breaks in Visualforce using Escape=false with Encoding

Comments are closed.