Difference: VarENTITY ( vs. 1)

ENTITY{string} -- encode a string to HTML entities

• Encode "special" characters to HTML entities. Useful to encode text properly for HTML input fields.
• Encoded characters:
  • all non-printable ASCII characters below space, including newline ("\n") and linefeed ("\r")
  • Space
  • HTML special characters "<", ">", "&", single quote (') and double quote (")
  • TWiki special characters "%", "[", "]", "@", "_", "*", "=" and "|"
• Syntax: %ENTITY{string}%
• Example: %ENTITY{text with "quotes" and
newline}% expands to text with "quotes" and
newline
• Notes:
  • To protect against cross-site scripting (XSS), always entity encode text intended for HTML input fields. This is especially true if text is received dynamically via URLPARAM or the like.
    Example: <input type="text" name="address" value="%ENTITY{any text}%" />
  • %ENTITY{string}% is roughly equivalent to %ENCODE{ "string" type="html" }%, but the latter cannot handle strings that have double quotes embedded in it.
• Category: DevelopmentVariables, FormattingAndRenderingVariables, ExportAndPublishingVariables
• Related: ENCODE, FORMFIELD, QUERYPARAMS, URLPARAM