portal entry

Yes, there is indeed far more benefit to that than the very old htmleditformat (which only encoded a few characters). And more than just using encodeforhtml, consider also the related functions also added with it in CF10 (encodeforurl, encodeforjavascript, etc.), and/or their member function equivalents added in CF2016. These all perform encoding based on the OWASP ESAPI project. As you posted <a href="https://coldfusion.adobe.com/2019/08/input-validation-avoid-xss/">another question at the same time</a>, and I had already answered that in more detail, with links to references, I would point you (and readers of this) to that for more on the encodefor features and their benefits.

Comment by Charlie Arehart

I found, somehow, the EncodeForHTML ruined emoji in the text (turned them into "? in diamond") while the old depreciated HTMLEditFormat didn't. Is there a way we can use the newer, better EncodeForHTML while keeping emoji

Comment by Billy Fan

All these functions simply control what HTML is generated. Look at the page you are seeing the problem on, and do a "view source". Report what you are seeing. Maybe someone can then recommend a better solution--or help understand why you are hitting the problem, in which case you may want to open a bug report at tracker.adobe.com instead.

Comment by Charlie Arehart

That would be a good one for StackOverflow

Comment by James Mohler