displaying top 100 results
Tracker Issue encodeFor attribute for cfoutput, writeOutput
encodeFor attribute for cfoutput, writeOutput
2673641 CF-4120074 External U. Needs to be reopened. The functions are out of alphabetical order (all the other ones are).
It lists:
[...]
EncodeForHTML
EncodeForCSS
FormatBaseN
GetLocale
EncodeForHTMLAttribute
EncodeForJavaScript
EncodeForURL
EncodeForXML
EncodeForXMLAttribute
EncodeForXPath
Get
Comment on The encodeFor value is not passed to nested cfoutput tags by Aaron N.
Comment on EncodeForURL encoding spaces as + instead of %20 by External U.
Comment on EncodeForURL encoding spaces as + instead of %20 by External U.
Comment on EncodeForURL encoding spaces as + instead of %20 by S V.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Tracker Comment Comment on Details on WriteOutput by S P.
2673644 CF-4120000 S P. Hi James,
Yes, the behavior of 'EncodeFor' arguement in the writeOutput() function is similar to the 'EncodeFor' functions.
Tracker Comment Comment on encodeFor attribute for cfoutput, writeOutput by S V.
Comment on encodeFor attribute for cfoutput, writeOutput by S V.
Portal Topic EncodeForHTML vs. HTMLEditFormat
EncodeForHTML vs. HTMLEditFormat
Tracker Comment Comment on Docs for encodeForHtml() not helpful by S P.
Comment on Docs for encodeForHtml() not helpful by S P.
Tracker Comment Comment on Docs for encodeForHtml() not helpful by CFwatson U.
Comment on Docs for encodeForHtml() not helpful by CFwatson U.
ANeff] ER for: canonicalization in encodeFor_() functions to be configurable
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by Rupesh K.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
The encodeFor value is not passed to nested cfoutput tags
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by Rupesh K.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Tracker Comment Comment on encodeFor attribute for cfoutput, writeOutput by S P.
Comment on encodeFor attribute for cfoutput, writeOutput by S P.
Comment on encodeFor attribute for cfoutput, writeOutput by External U.
Comment on encodeFor attribute for cfoutput, writeOutput by Aaron N.
Tracker Comment Comment on encodeFor attribute for cfoutput, writeOutput by S V.
Comment on encodeFor attribute for cfoutput, writeOutput by S V.
Comment on EncodeForURL encoding spaces as + instead of %20 by S V.
Portal Comment Comment on EncodeForHTML vs. HTMLEditFormat by James Mohler
Comment on EncodeForHTML vs. HTMLEditFormat by James Mohler
Tracker Comment Comment on Docs for encodeForHtml() not helpful by External U.
Comment on Docs for encodeForHtml() not helpful by External U.
Portal Comment Comment on EncodeForHTML vs. HTMLEditFormat by Billy Fan
Comment on EncodeForHTML vs. HTMLEditFormat by Billy Fan
Tracker Issue Member functions for encoding
2608653 CF-4033628 Language Neil Pugh Member functions for encoding Create member functions for the new encoding functions:
encodeForHTML
encodeForJavascript
encodeForHTMLAttribute
and for the rest
----------------------------- Additional Watson Details -----------------------------
Watson Bug
Tracker Issue encodeForXML()
encodeForXML()
Tracker Comment Comment on ANeff] ER for: canonicalization in encodeFor_() functions to be configurable by External U.
Comment on ANeff] ER for: canonicalization in encodeFor_() functions to be configurable by External U.
Tracker Issue EncodeForURL encoding spaces as + instead of %20
EncodeForURL encoding spaces as + instead of %20
Tracker Issue encodeForHtml/decodeForHtml forcing HTML entities for uppercase accent characters to lower case
encodeForHtml/decodeForHtml forcing HTML entities for uppercase accent characters to lower case
Portal Topic ColdFusion 2016 Security Enhancements: EncodeFor
ColdFusion 2016 Security Enhancements: EncodeFor
Portal Comment Comment on ColdFusion (2016 release) Update 9 and ColdFusion 11 Update 17 released by ehoffmandscxn
ehoffmandscxn for reference: we switched to `encodeForURL()` method. Now works again.
Tracker Issue EncodeForHTML mangles strings containing %[0-F][0-F]
EncodeForHTML mangles strings containing %[0-F][0-F]
Tracker Comment Comment on Docs for encodeForHtml() not helpful by CFwatson U.
Comment on Docs for encodeForHtml() not helpful by CFwatson U.
Comment on EncodeForHTML mangles strings containing %[0-F][0-F] by External U.
Tracker Comment Comment on encodeForXML() by External U.
Comment on encodeForXML() by External U.
Comment on The encodeFor value is not passed to nested cfoutput tags by Peter F.
Security Analyzer - Does not flag incorrect EncodeFor Contexts
Tracker Comment Comment on Details on WriteOutput by External U.
2673644 CF-4120000 External U. Thanks for the suggestions Adam. We've updated the topic at:
https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-t-z/writeoutput.html
In addition, we've also documented EncodeForDN and EncodeForLDAP functions. These were not documented
OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS
Comment on EncodeForURL encoding spaces as + instead of %20 by External U.
Comment on EncodeForURL encoding spaces as + instead of %20 by External U.
Tracker Comment Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by External U.
Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by External U.
Tracker Comment Comment on Docs for encodeForHtml() not helpful by External U.
Comment on Docs for encodeForHtml() not helpful by External U.
Comment on EncodeForHTML mangles strings containing %[0-F][0-F] by External U.
Tracker Comment Comment on encodeForXML() by External U.
Comment on encodeForXML() by External U.
Tracker Issue Details on WriteOutput
2673644 CF-4120000 Documentation James Mohler Details on WriteOutput Problem Description:
https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-t-z/writeoutput.html#main-pars_text_0
Mentions "EncodeFor"
It is unclear if these are the same as the EncodeFor functions
2613365 CF-3329177 Documentation Adam Cameron Deprecate obsolete and potentially dangerous encoding functionality From http://stackoverflow.com/questions/10604987/should-encodeforhtml-encodeforurl-be-used-from-cf10-onward-in-flavor-of-h/10612662#10612662
{quote}
In an earlier question encodeFor
2610296 CF-3712186 External U. Hi Adam,
I just emailed Jacob about the canonicalize() and encodeFor__() docs. On each of those pages, their category (which is listed as "Display and formatting functions") is unclickable. Additionally, they are not listed under that category, nor are they listed
Tracker Comment Comment on Deprecate obsolete and potentially dangerous encoding functionality by External U.
of the ToBinary doc: "Adobe recommends that you use the BinaryDecode function to convert Base64 encoded data to binary data in all new applications."
Thus, suggestions:
HTMLEditFormat doc: "Adobe recommends that you use the EncodeForHTML function, not the HTMLEditFormat function, to escape special
Tracker Issue Docs for encodeForHtml() not helpful
Docs for encodeForHtml() not helpful
2609627 CF-3818770 Language Raymond Camden Elvis operator executes RHS (right hand side) when it doesn't need to. Consider this example:
function getfoo() {
writeoutput("do you see me?");
return "foo";
}
username = encodeForHTML(url.name) ?: "Anonymous";
writeOutput(username);
u2
Tracker Issue decodeForHTML()
important reason is to allow updatability of EncodeForHTML by Adobe in the future. (we don't want existence of UDFs to prevent updating EncodeForHTML, like it's preventing updating the existing 2 functions).
As far as use cases, there must be plenty if people are using their own UDFs and that has prevented
Tracker Comment Comment on Member functions for encoding by External U.
2608653 CF-4033628 External U. Well they're a bit too focused to be methods of a String class; they're about encoding, they're not about *strings* per se.
So they should be in something like:
String Encode.forHtml(String stringToEncode)
String methods should only relate to the general concept
Tracker Comment Comment on Member functions for encoding by External U.
for the class, and the methods themselves should be the same as their procedural counterparts, so:
static String StringEncoder.encodeForHtml(String stringToEncode)
Tracker Issue Update esapi.jar to 2.2
this was an issue in the esapi jar and is fixed in the most recent version esapi-2.2.0.0.jar
I was working with legacy code and replaced all occurrences of HTMLEditFormat with EncodeForHTML and JSStringFormat with EncodeForJavaScript.
This led to double encodings which I wanted to correct by setting the second
Portal Topic SAML in ColdFusion
samueljo@adobe.com SAML in ColdFusion A rough overview of the SAML feature available in ColdFusion 2021. Learn how to create and deploy a simple SAML SSO application.
The post SAML in ColdFusion appeared first on ColdFusion. Blog,encodeFor,Security,blog,security
Comment on EncodeForHTML vs. HTMLEditFormat by Charlie Arehart
Tracker Comment Comment on Security Analyzer - Does not flag incorrect EncodeFor Contexts by CFwatson U.
Comment on Security Analyzer - Does not flag incorrect EncodeFor Contexts by CFwatson U.
Tracker Comment Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by External U.
Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by External U.
Tracker Comment Comment on CFHTMLTOPDF by External U.
2608329 CF-4125142 External U. Using https://www.google.co.uk/?p=123&a=456 as an example you get the following error:
Error occurred while generating PDF.Reason: THE REFERENCE TO ENTITY ""A"" MUST END WITH THE ';' DELIMITER
I assume its because the & is a special char.
Using EncodeForURL doesn
Tracker Comment Comment on ANeff] ER for: canonicalization in encodeFor_() functions to be configurable by External U.
Comment on ANeff] ER for: canonicalization in encodeFor_() functions to be configurable by External U.
2609683 CF-3807350 Security George Alsobrooks Inconsistent naming standard between DecodeForHTML and DecodeFromURL Function name DecodeForHTML should be renamed to DecodeFromHTML. ColdFusion 10 added several commands to EncodeForXXXXX. These are all named consistently and start with ‘EncodeFor
Tracker Issue Display and Formatting function list page incomplete
2673641 CF-4120074 Documentation Adam Cameron Display and Formatting function list page incomplete https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-by-category/display-and-formatting-functions.html
This only lists one of the encodeFor~ functions. Should list all
Tracker Comment Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by CFwatson U.
Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by CFwatson U.
Tracker Comment Comment on Bizzare behavior in cflayout due to change in default setting for action in cfform by Adobe D.
2614735 CF-3080158 Adobe D. Done a Adhoc testing things are working fine.
ON OWSAP it is clearly mention.
EncodeForHTMLAttribute: This should not be used for complex attributes like href, src, style, or any of the event handlers like onmouseover.
url :
https
Tracker Comment Comment on decodeForHTML() by Adobe D.
2614206 CF-3125862 Adobe D. Functions
Bug Number:CF-3125857
Reviewer: Kiran
Description: Added new encoding and decoding functions.
String EncodeForXML(String, [strict]) - Encodes the given input string for XML. throws exception for mixed/multiple encoding if strict is true
String Decodefor
Comment on EncodeForHTML vs. HTMLEditFormat by Charlie Arehart
Tracker Comment Comment on Values coming from in-built struct objects/tag-specific variables should not be flagged for vulnerability. by S P.
2675044 CF-4087973 S P. Certain scenarios to be covered as part of this bug:
1)
SELECT ARTISTID, FIRSTNAME, LASTNAME, EMAIL, THEPASSWORD, ADDRESS, CITY, STATE, POSTALCODE, PHONE, FAX
FROM ARTISTS
WHERE 1=1
#listing.recordCount#
#listing.currentRow# - #encodeFor
attributes for the rest of each plugin's options)
-- Twitter Tweet Button
--- changed encodeForURL(ATTRIBUTES.url) to encodeForHTMLAttribute(ATTRIBUTES.url) (line 273 of socialplugin.cfm)
-- Google +1 Button
--- changed encodeForURL(ATTRIBUTES.url) to encodeForHTMLAttribute(ATTRIBUTES.url) (line 315
implementations.
Specifically I've just been undone by encodeForHtml() not having been done.
You guys need to lift your game when it comes to doing your job thoroughly. How did this get all the way through planning, dev, testing, QA without this being noticed? It's just slack.
--
Adam
2610296 CF-3712186 External U. Hi Rupesh,
Ah, yes, you're right regarding BinaryEncode, CharsetEncode and FormatBaseN. I was just iterating over Awdhesh's list in his comment on 11:56:41 PM GMT+00:00 Feb 26, 2014.
However, the following aren't done and should be:
canonicalize()
encodeForUrl()
is
Tracker Issue [ANeff] Bug for: THIS.searchImplicitScopes=false breaks web service argumentCollection
Arg="foobar"};
cfhttp(url='http://' & CGI.HTTP_HOST & getDirectoryFromPath(CGI.SCRIPT_NAME) & 'MyCFC.cfc?method=myFunction&argumentCollection=' & serializeJSON(myArgs).encodeForURL() & '&returnFormat=json');
writeOutput(CFHTTP.FileContent);//returns {"MYARG":null} (bad)
cfwddx(action="cfml2wddx", input
2673380 CF-4126669 Security Analyzer David Epler Security Analyzer - Better information for HTMLEditFormat Prior to ColdFusion 10, the only way to escape/encode for XSS was mostly through the use of HTMLEditFormat. This function was deprecated when in ColdFusion 10 the ESAPI EncodeFor* functions
Portal Topic Open Web Application Security Project – OWASP
://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-c-d/Canonicalize.html https://en.wikipedia.org/wiki/Left-to-right_mark https://github.com/jmohler1970/FormUtils
The post Open Web Application Security Project – OWASP appeared first on ColdFusion. Blog,CFML Tag/Function,encodeFor,blog,cfml tag/function,cfoutput,characterEncoding
, FAX
FROM ARTISTS
WHERE 1=1
#listing.recordCount#
#listing.currentRow# - #encodeForHTML(listing.lastName & ", " & listing.firstName)#
Actual Result:
listing.recordCount and listing.currentRow are marked as XSS, Error, High
Expected Result:
They should not be marked
Tracker Issue Security scanner: incorrect analysis
.messageWithFunction = ucase(variables.scopedMessage);
writeOutput(variables.messageWithFunction);
variables.messageFollowingGuidance = encodeForHtml(unscopedMessage);
writeOutput(variables.messageFollowingGuidance);
This line is singled-out with an XSS warning:
writeOutput(variables.messageWithFunction);
Why
Tracker Issue Many string member functions not implemented
()
deserializeJson()
encodeForUrl() (and I presume the other encoding functions)
encrypt()
hash()
htmlEditFormat() (and probably htmlCodeFormat())
isDate() (and I presume other type-checking functions)
isNumeric()
isValid()
javaCast()
jsStringFormat()
listValueCount()
LSParseEuroCurrency() (and there'll be a few
of encoding (for a first implementation "all" as value would be enough, later "edit" and "code" could be added)quote_style = Defines whether single and/or double quotes shall also be encoded (possible values: "double", "single", "both" and "none"; default: "double")charset = Charset used for the conversion
NullWithLocallyScopedVariableMatchesGlobalVariableName();
worksAsExpected = testNullWithUniquelyNamedLocallyScopedVariable();
brokenInAllVersionsOfColdFusion = testNullWithLocallyScopedVariableBrokenInAllVersionOfColdFusion();
evenUsingScopeDoesNotWork = testNullEvenUsingLocalScopeDoesNotWork();
brokenOnlyInCF2016 = null#encodeFor
2610296 CF-3712186 External U. Hi Rupesh,
Regarding "As of now, we have considered String functions listed at
https://wikidocs.adobe.com/wiki/display/coldfusionen/String+functions"
Issues:
1) This ticket covers canonicalize() and encodeFor*(). Those are listed on that string functions page. Those
Tracker Comment Comment on Bug 83860:structCopy() no longer works on the result of cfhttp by Aaron N.
Output(CFHTTP.getClass().getName())//coldfusion.runtime.StructBean
cfwddx(action="cfml2wddx", input=CFHTTP, output="FromCFMLToWDDX")
writeOutput('' & FromCFMLToWDDX.reMatch("")[1].encodeForHTML())//
cfwddx(action="wddx2cfml", input=FromCFMLToWDDX, output="FromWDDXToCFML")
writeOutput('' & From
Tracker Comment Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by CFwatson U.
Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by CFwatson U.
Portal Comment Comment on Input validation to avoid XSS by JS_Webtrax
after applying EncodeForHTML to see if the values still matched seemed simple enough at first except that many characters that it encodes would be valid entries in the original input that would cause the text values to not match: Bob’s Burgers would have encoded value of Bob's Burgers and would look