The OWASP Java Encoder Project recommends using both URL and HTML attribute encoding for href attributes to mitigate potential security vulnerabilities. In ColdFusion, this involves encoding dynamic URL parts with encodeForUrl() and then further encoding the href attribute with encodeForHtmlAttribute(). This double encoding approach addresses concerns when embedding URLs within HTML attributes, although the exact vulnerabilities it prevents are not clearly detailed in the OWASP documentation.
Sort: