displaying top 100 results
Portal Topic EncodeForHTML vs. HTMLEditFormat
EncodeForHTML vs. HTMLEditFormat
Tracker Comment Comment on Docs for encodeForHtml() not helpful by S P.
Comment on Docs for encodeForHtml() not helpful by S P.
Tracker Comment Comment on Docs for encodeForHtml() not helpful by CFwatson U.
Comment on Docs for encodeForHtml() not helpful by CFwatson U.
Tracker Comment Comment on encodeFor attribute for cfoutput, writeOutput by S V.
2612744 CF-3434473 S V. Hi John,
Yes, all the occurrences of #url.id# will be encoded using encodeForHTML function.
#url.name#
Go to whatever.cfm?id=#url.id#
equivalent code is
#EncodeForHTML(url.name)#
Go to whatever.cfm?id=#EncodeForHTML(url.id)#
Thanks,
Pavan.
Portal Comment Comment on EncodeForHTML vs. HTMLEditFormat by James Mohler
Comment on EncodeForHTML vs. HTMLEditFormat by James Mohler
Tracker Comment Comment on Docs for encodeForHtml() not helpful by External U.
Comment on Docs for encodeForHtml() not helpful by External U.
Portal Comment Comment on EncodeForHTML vs. HTMLEditFormat by Billy Fan
Comment on EncodeForHTML vs. HTMLEditFormat by Billy Fan
Tracker Issue encodeForHtml/decodeForHtml forcing HTML entities for uppercase accent characters to lower case
encodeForHtml/decodeForHtml forcing HTML entities for uppercase accent characters to lower case
Tracker Issue EncodeForHTML mangles strings containing %[0-F][0-F]
EncodeForHTML mangles strings containing %[0-F][0-F]
Tracker Comment Comment on Docs for encodeForHtml() not helpful by CFwatson U.
Comment on Docs for encodeForHtml() not helpful by CFwatson U.
Comment on EncodeForHTML mangles strings containing %[0-F][0-F] by External U.
OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS
2612744 CF-3434473 External U. Hi David,
I like the idea you and Adam were discussing. Suggestion:
Example:
would be the default and the same as:
.myClass {color:#myColor#;}
#myHTML#
would be the same as:
.myClass {color:#encodeForCSS(myColor)#;}
#encodeForHTML
Tracker Comment Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by External U.
Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by External U.
Tracker Comment Comment on Docs for encodeForHtml() not helpful by External U.
Comment on Docs for encodeForHtml() not helpful by External U.
Comment on EncodeForHTML mangles strings containing %[0-F][0-F] by External U.
Tracker Issue Member functions for encoding
2608653 CF-4033628 Language Neil Pugh Member functions for encoding Create member functions for the new encoding functions:
encodeForHTML
encodeForJavascript
encodeForHTMLAttribute
and for the rest
----------------------------- Additional Watson Details -----------------------------
Watson Bug
Tracker Issue decodeForHTML()
important reason is to allow updatability of EncodeForHTML by Adobe in the future. (we don't want existence of UDFs to prevent updating EncodeForHTML, like it's preventing updating the existing 2 functions).
As far as use cases, there must be plenty if people are using their own UDFs and that has prevented
Tracker Issue Docs for encodeForHtml() not helpful
Docs for encodeForHtml() not helpful
2612744 CF-3434473 External U. @Adam,
The proper encoding for the block is:
#encodeForHTML(url.name)#
Go to whatever.cfm?id=#encodeForHTML(url.id)#
So ultimately, I would have preferred that Adobe had put a list of ERs to the PR and said take a look at them and discuss as opposed to a vacuum
2609627 CF-3818770 Language Raymond Camden Elvis operator executes RHS (right hand side) when it doesn't need to. Consider this example:
function getfoo() {
writeoutput("do you see me?");
return "foo";
}
username = encodeForHTML(url.name) ?: "Anonymous";
writeOutput(username);
u2
Tracker Comment Comment on Member functions for encoding by External U.
2608653 CF-4033628 External U. Well they're a bit too focused to be methods of a String class; they're about encoding, they're not about *strings* per se.
So they should be in something like:
String Encode.forHtml(String stringToEncode)
String methods should only relate to the general concept
Tracker Comment Comment on Member functions for encoding by External U.
for the class, and the methods themselves should be the same as their procedural counterparts, so:
static String StringEncoder.encodeForHtml(String stringToEncode)
Tracker Comment Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by External U.
Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by External U.
Comment on EncodeForHTML vs. HTMLEditFormat by Charlie Arehart
2673641 CF-4120074 External U. Needs to be reopened. The functions are out of alphabetical order (all the other ones are).
It lists:
[...]
EncodeForHTML
EncodeForCSS
FormatBaseN
GetLocale
EncodeForHTMLAttribute
EncodeForJavaScript
EncodeForURL
EncodeForXML
EncodeForXMLAttribute
EncodeForXPath
Get
Tracker Issue encodeFor attribute for cfoutput, writeOutput
2612744 CF-3434473 Security David Epler encodeFor attribute for cfoutput, writeOutput While ColdFusion 10 added the various ESAPI encodeFor* functions, it is dependent upon the developer to properly wrap location where used with the appropriate function (e.g. #EncodeForHTML(url.name)#). Adding
2613365 CF-3329177 Documentation Adam Cameron Deprecate obsolete and potentially dangerous encoding functionality From http://stackoverflow.com/questions/10604987/should-encodeforhtml-encodeforurl-be-used-from-cf10-onward-in-flavor-of-h/10612662#10612662
{quote}
In an earlier question encodeForHtml
Tracker Comment Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by CFwatson U.
Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by CFwatson U.
Tracker Comment Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by CFwatson U.
Comment on OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS by CFwatson U.
Portal Topic ColdFusion 2016 Security Enhancements: EncodeFor
on the victims […] Blog,cfoutput,encodeFor,encodeForHTML,security
Tracker Issue Update esapi.jar to 2.2
this was an issue in the esapi jar and is fixed in the most recent version esapi-2.2.0.0.jar
I was working with legacy code and replaced all occurrences of HTMLEditFormat with EncodeForHTML and JSStringFormat with EncodeForJavaScript.
This led to double encodings which I wanted to correct by setting the second
Comment on EncodeForHTML vs. HTMLEditFormat by Charlie Arehart
Tracker Comment Comment on Values coming from in-built struct objects/tag-specific variables should not be flagged for vulnerability. by S P.
2675044 CF-4087973 S P. Certain scenarios to be covered as part of this bug:
1)
SELECT ARTISTID, FIRSTNAME, LASTNAME, EMAIL, THEPASSWORD, ADDRESS, CITY, STATE, POSTALCODE, PHONE, FAX
FROM ARTISTS
WHERE 1=1
#listing.recordCount#
#listing.currentRow# - #encodeForHTML
implementations.
Specifically I've just been undone by encodeForHtml() not having been done.
You guys need to lift your game when it comes to doing your job thoroughly. How did this get all the way through planning, dev, testing, QA without this being noticed? It's just slack.
--
Adam
2673379 CF-4126670 Security Analyzer David Epler Security Analyzer - Does not flag incorrect EncodeFor Contexts The security analyzer seems to only be checking for EncodeForHTML regardless of the context of where the variable is used. This is incorrect. If the variable is being used in an HTML
Tracker Comment Comment on Deprecate obsolete and potentially dangerous encoding functionality by External U.
of the ToBinary doc: "Adobe recommends that you use the BinaryDecode function to convert Base64 encoded data to binary data in all new applications."
Thus, suggestions:
HTMLEditFormat doc: "Adobe recommends that you use the EncodeForHTML function, not the HTMLEditFormat function, to escape special
, FAX
FROM ARTISTS
WHERE 1=1
#listing.recordCount#
#listing.currentRow# - #encodeForHTML(listing.lastName & ", " & listing.firstName)#
Actual Result:
listing.recordCount and listing.currentRow are marked as XSS, Error, High
Expected Result:
They should not be marked
Tracker Issue Security scanner: incorrect analysis
.messageWithFunction = ucase(variables.scopedMessage);
writeOutput(variables.messageWithFunction);
variables.messageFollowingGuidance = encodeForHtml(unscopedMessage);
writeOutput(variables.messageFollowingGuidance);
This line is singled-out with an XSS warning:
writeOutput(variables.messageWithFunction);
Why
NullWithLocallyScopedVariableMatchesGlobalVariableName();
worksAsExpected = testNullWithUniquelyNamedLocallyScopedVariable();
brokenInAllVersionsOfColdFusion = testNullWithLocallyScopedVariableBrokenInAllVersionOfColdFusion();
evenUsingScopeDoesNotWork = testNullEvenUsingLocalScopeDoesNotWork();
brokenOnlyInCF2016 = null#encodeForHtml
Tracker Comment Comment on Bug 83860:structCopy() no longer works on the result of cfhttp by Aaron N.
Output(CFHTTP.getClass().getName())//coldfusion.runtime.StructBean
cfwddx(action="cfml2wddx", input=CFHTTP, output="FromCFMLToWDDX")
writeOutput('' & FromCFMLToWDDX.reMatch("")[1].encodeForHTML())//
cfwddx(action="wddx2cfml", input=FromCFMLToWDDX, output="FromWDDXToCFML")
writeOutput('' & From
Portal Comment Comment on Input validation to avoid XSS by JS_Webtrax
after applying EncodeForHTML to see if the values still matched seemed simple enough at first except that many characters that it encodes would be valid entries in the original input that would cause the text values to not match: Bob’s Burgers would have encoded value of Bob's Burgers and would look