tracker issue : CF-4126669

select a category, or use search below
(searches all categories and all time range)
Title:

Security Analyzer - Better information for HTMLEditFormat

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): David Epler / David Epler (David Epler)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type: Unspecified

Found In Build/Fixed In Build: Alpha_v12 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Win All

Vote Count: 1

Prior to ColdFusion 10, the only way to escape/encode for XSS was mostly through the use of HTMLEditFormat. This function was deprecated when in ColdFusion 10 the ESAPI EncodeFor* functions were introduced.

The security analyzer should provide better information on how to replace HTMLEditFormat with the correct EncodeFor* function to properly mitigate XSS.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126669

External Customer Info:
External Company:  
External Customer Name: David Epler
External Customer Email: dcepler@dcepler.net
External Test Config: Friendly Name: Current MBP
System Type: Laptop
Brand: Apple 
Model: Mid-2012 15"
Processor Type: Intel Core i7
Processor Speed: 2GHz to 3GHz
Memory: 8GB to 16GB
Hard Drive Storage: 500GB-1TB
Peripherals: LCD Display
Peripherals: Web-Cam
Connectivity: Ethernet
Connectivity: Wireless 802.11 N
Interfaces: Firewire
Interfaces: USB 2.x
Media: CD
Media: CD-R
Media: CD-RW
Media: DVD
Media: DVD+R
Media: DVD-R
Media: SD Card
Primary Operating System: Mac OS X 10.9 (Mavericks)
Secondary Operating System: Windows 7 64
System Location: Other
Time Owned: 2 to 3 Years


Bug File Paths:
\\sjshare.corp.adobe.com\Prereleasebugfiles\ColdFusion\12.0\Alpha_v12\4026103\HTMLEditFormat.cfm

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: Date Closed newValue: 2015-10-18 23:31:49.0 oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-19 06:31:49.0 action: updated fieldName: Closed By newValue: preethi oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-19 06:31:49.0 action: updated fieldName: Owner newValue: Blank oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-19 06:31:49.0 action: updated fieldName: State newValue: Closed oldValue: Open oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-19 06:31:49.0 action: updated fieldName: Status newValue: Fixed oldValue: ToTest oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-19 06:31:49.0 action: updated fieldName: Reason newValue: Blank oldValue: Fixed oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-19 06:31:49.0 action: updated fieldName: Date Fixed newValue: 2015-10-14 01:54:58.0 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-14 08:54:58.0 action: updated fieldName: Changelist newValue: 296001 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-14 08:54:58.0 action: updated fieldName: Reason newValue: Fixed oldValue: Investigate oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-14 08:54:58.0 action: updated fieldName: Status newValue: ToTest oldValue: ToFix oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-14 08:54:58.0 action: updated fieldName: Owner newValue: preethi oldValue: uogra oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-14 08:54:58.0 action: updated fieldName: Fixed By newValue: uogra oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-14 08:54:58.0 action: updated fieldName: Reason newValue: Investigate oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-08-17 03:39:42.0 action: updated fieldName: Priority newValue: 2 oldValue: 0 oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-08-17 03:39:42.0 action: updated fieldName: Severity newValue: 0 oldValue: 0 oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-08-17 03:39:42.0 action: updated fieldName: Dev Assigned newValue: uogra oldValue: sanniset oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-29 04:52:53.0 action: updated fieldName: Owner newValue: uogra oldValue: sanniset oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-29 04:52:53.0 action: updated fieldName: Reason newValue: Blank oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-28 12:44:42.0 action: updated fieldName: Status newValue: ToFix oldValue: Unverified oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-28 12:44:42.0 action: updated fieldName: Fix By Product Milestone newValue: Beta oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-28 12:44:42.0 action: updated fieldName: Fix By Milestone newValue: Beta oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-28 12:44:42.0 action: updated fieldName: Owner newValue: sanniset oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-28 12:44:42.0 action: added fieldName: Vote Type newValue: BETA oldValue: Blank oprid: prerelease recordName: AD_DEFECT_VOTE timpestamp: 2015-07-27 20:14:44.0
Comment by CFwatson U.
3546 | March 09, 2016 04:30:57 AM GMT
The same applies to XmlFormat
Vote by External U.
3548 | March 09, 2016 04:30:59 AM GMT
Added By: PreRelease User User Name:David Epler Note Added: Entered Feature. Date Added :2015-07-26 13:47:20.0
Comment by CFwatson U.
3547 | March 09, 2016 04:31:00 AM GMT