What do you do when users enter multi-paragraph text that they want to have displayed like that? We used to use htmlEditFormat() then a function of our own that basically replaces newlines with br. When I replaced htmlEditFormat() with encodeForHTML() recently, that broke because encodeForHTML() filters out newlines, which htmlEditFormat() doesn't. So we need to encode special characters like <> etc, and other trickier riskier stuff that encodeForHTML() handles better, but also have a way to render multiple paragraphs like that's what they are. Thoughts?

Something like #rereplace(comment, chr(13),"<br />","all")#. Not sure if it's right in all situations, but has worked fine for me.

@Dave Merrill 20 years ago, the best option was to use something like paragraphFormat() because the state of the browsers was such that it was hard to preserve line breaks. However, I don't bother any more and just render those blocks in elements with "white-space: pre-line". You obviously still need to encodeForHtml(), but w/pre-line white space is collapsed but new lines are preserved. This almost always produces the exact content you want.

what about SerialzeJSON() and deserializeJSON()? Should preserve the new lines and you can then either wrap the display in <pre></pre> or do the char replacement as others suggested for the newline characters.

We store what the user enters, as it's submitted and received by the server. TESTING RESULTS on CF 2021, same on cfdocs and cffiddle: htmlEditFormat keeps chr(10), deletes chr(13) encodeForHTML replaces chr(10) w &#xa; replaces chr(13) w &#xd; You can't replace CRs and LFs w <br> before encodeForHTML() or the LT and GT get encoded, and they're gone after calling it. Seems the solutions are <pre> or equivalent css, or replacing "&##xa;" and maybe "&##xd;" w "<br>" after encodeForHTML().

it depends on what you have stored. if it is already dirty, ie has possible markup especially some you might want to keep, i would use either jsoup, antisamy (getSafeHtml()), or owasp java html sanitizer, and provide it a list of allowed stuff and call it a day. let those tools do the work for you. this is the strategy that should be at play when you use stuff like tinymce because html is expected but you still need to protect it, but won't be able to encodeForHtml(). if you are only trying to preserve the new lines, then do the replace before calling encodeforhtml() but replace it with something it isn't going to encode like [br] then encode, then replace that simpler string with actual brs. I would also recommend replacing anything with 3 or more consecutive of those br's with just 2, your display will thank you.

@Dave Merrill, When you say, "users enter multi-paragraph text that they want to have displayed like that", my immediate thoughts are: it depends. 1. Does CFML display the text back, directly after the user submits it; or 2. Does CFML first save the text to the database, then get it back and display it to the user? If case 2, it could be possible to make use of SQL's own char() function when storing and/or retrieving carriage-returns and line-feeds.

Doesn't this just work: https://trycf.com/gist/aac1fd74e678e7b1f68751f9b494679e/acf2025?theme=monokai

We don't encode anything to save it in the db. We save what the user entered, and it's all plain text, not HTML or other forms of rich text. The issue is only on display, where entities need to be encoded (<> etc), and CR/LF need to display as paragraph breaks. Yes white-space:pre-line works, I looked at that before posting. We'd have to make sure that css was applied everywhere we'd previously been doing the newlines to BRs conversion. One possibility is to have that function return html of a div containing the text with that styling applied inline. I'm somewhat concerned that may interact poorly with the rest of the page, need to explore.

Dave, I can't quite tell from all this but I want to point out that I wrote a udf 26 years ago, which I called textareaformat, that might still be helpful for you. See it on my old site (which I maintain for posterity) for more and the zip of the simple code, at https://www.systemanage.com/cff/textareaformat_help.cfm

Thanks Charlie, I'll keep that in mind. I've deferred this for now, went back to htmlEditFormat(). Bigger fires to fry, or something...

👍