tracker issue : CF-3080158

Shilpi, Could you please look into this?

Comment by Rupesh K.

What is the expected behaviour for this test case? I switched off our change for not generating the Action. Now with action getting generated this is the behavior - 1. in IE: Only one submit button is coming. And the difference is the URL exception is not coming. 2. In Chrome: Whenever we submit, nothing happens. (Comment added from ex-user id:shilpik)

Comment by Adobe D.

CFLayout, Ajax Tags, Security Bug Number:CF-3080158 Reviewer:Awdhesh Description: We stopped adding action (if not specified in tag) attribute for cfform tag due to XSS Security issue. Due to this Ajax tags which embed a cfm as a url bind, fails. Fixing it. Now we will add source page url in action ( without query string) in case action was not specified and the call came from another ajax tag. However we strongly recommend people explicitly setting the action in the form. Smokes Passed: Yes Note for QA: Yes, please verify similar ajax tags which add a URL in source Note for Doc: no Note for IDE: no Merge for Hot-fix: yes (Comment added from ex-user id:shilpik)

Comment by Adobe D.

As given by Aaron, here is the repro No, it is not (here’s a simpler repro, using cfwindow): index.cfm ---------------------- <cfparam name="URL.a" type="string" default="b" /> <cfajaximport tags="cfform" /> <cfwindow source="included_page.cfm?a=#URL.a#" initshow="true" /> included_page.cfm ---------------------- <cfform><cfinput type="submit" name="submit" value="submit" /></cfform> <cfdump var="#URL#" /> After clicking submit, see CF10 breaks the URL scope. That issue is.. this: <form id="CFForm_1" onsubmit="return ColdFusion.Ajax.checkForm(this, _CF_checkCFForm_1,’cf_window1331198062057_body’)" method="post" action="/tests/cflayoutareaformaction/included_page.cfm" name="CFForm_1"> Becomes this: <form id="CFForm_1" onsubmit="return _CF_checkCFForm_1(this)" method="post" name="CFForm_1">

Comment by Rupesh K.

The behavior mentioned is already fixed. It was not merged in Public beta build. Re tested with the given test repro. Everything is working. (Comment added from ex-user id:shilpik)

Comment by Adobe D.

GT please re-verify and check with Aaron. (Comment added from ex-user id:shilpik)

Comment by Adobe D.

We will not push this for next release. I Will be making a fix and we will have a flag to roll back to cf9 behavior. We will however need some enhancements in test kit and add some special test cases for this testing. (Comment added from ex-user id:shilpik)

Comment by Adobe D.

http://prerelease.adobe.com/r/?db2bf6e6ce594c48b0a1655ecc61609d (Comment added from ex-user id:shilpik)

Comment by Adobe D.

We will now be generating the action if it was not specified. However we will encoding the action. EncodeforHTMLAttirbute and EncodeforURL is used respectively for each query parameter. For turning off encoding and taking it to CF901 and before behavior, one can add -Dcoldfusion.encodeformaction=false system property. This will roll back the behavior to CF901 behavior where we will generate the form action with script name and query parameters. This is however prone to XSS attacks and is not recommended for use. IT is only for backward compatibility. Changelist comment: FormTag Bug Number:CF-3080158 Reviewer: Awdhesh Description:We will now be generating the action if it was not specified. However we will encoding the action. EncodeforHTMLAttirbute and EncodeforURL is used respectively for each query parameter. For turning off encoding and taking it to CF901 and before behavior, one can add -Dcoldfusion.encodeformaction=false system property. The default value for this is true. This will roll back the behavior to CF901 behavior where we will generate the form action with script name and query parameters. This is however prone to XSS attacks and is not recommended for use. IT is only for backward compatibility. Smokes Passed: Yes Note for QA: Yes, please try to add these test cases to regression suite. Note for Doc: yes, the flag is renamed. Earlier it was -Dcoldfusion.generateformaction. Now it is -Dcoldfusion.encodeformaction. For complete detail on behvaior, see description field above. Note for IDE: no (Comment added from ex-user id:shilpik)

Comment by Adobe D.

Done a Adhoc testing things are working fine. ON OWSAP it is clearly mention. EncodeForHTMLAttribute: This should not be used for complex attributes like href, src, style, or any of the event handlers like onmouseover. url : https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes Have to change all the test cases again (Comment added from ex-user id:gtiwari)

Comment by Adobe D.

This is breaking in the scenarios in which the query string contains percentage encoding characters which are not valid. POC : test.cfm <cfform > <cfinput type="submit" name="submit1" value="submit" /> </cfform> <cfdump var="#URL#" /> try access the page using url http://<host>/test.cfm?myval=%^g Error : There was an error while encoding. For more details check logs. The error occurred in C:/dev/ColdFusion/cf_main/cfusion/wwwroot/newmanual/coldfusion/tags/forms/htmlforms/encodeFormAction/_test.cfm: line 1 1 : <cfform > 2 : <cfinput type="submit" name="submit1" value="submit" /> 3 : </cfform> Resources: Check the ColdFusion documentation to verify that you are using the correct syntax. Search the Knowledge Base to find a solution to your problem. Browser Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.113 Safari/535.19 Remote Address 127.0.0.1 Referrer Date/Time 26-Mar-12 04:22 PM Stack Trace at cf_test2ecfm1659968515.runPage(C:/dev/ColdFusion/cf_main/cfusion/wwwroot/newmanual/coldfusion/tags/forms/htmlforms/encodeFormAction/_test.cfm:1) coldfusion.security.ESAPIUtils$EncodingUtilException: There was an error while encoding. at coldfusion.security.ESAPIUtils.decodeFromURL(ESAPIUtils.java:149) at coldfusion.tagext.html.form.FormTag.populateActionWithEncoding(FormTag.java:1105) at coldfusion.tagext.html.form.FormTag.doStartTag(FormTag.java:591) at cf_test2ecfm1659968515.runPage(C:\dev\ColdFusion\cf_main\cfusion\wwwroot\newmanual\coldfusion\tags\forms\htmlforms\encodeFormAction\_test.cfm:1) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:244) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:444) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.IpFilter.invoke(IpFilter.java:62) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:443) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:112) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:75) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:204) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:928) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:414) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Abstract (Comment added from ex-user id:gtiwari)

Comment by Adobe D.

Sanjeev, can you check this since Shilpi is on PTO?

Comment by Rupesh K.

When the form action is not specified in the cfform, we generate action url in the generated page to be same as one used to access the page. While generating this url, we are using ESAPI to encode the url and attributes. It was breaking the test cases where in url has query string with value %. Now using canonicalize instead of decodeURL for the query string.

Comment by Sanjeev K.

Tested. All CFFORM test case changed. (Comment added from ex-user id:gtiwari)

Comment by Adobe D.