tracker issue : CF-3040920

Problem:

HTMLEditFormat does not escape ampersands when they form part of certain entities.  This behaviour is not mentioned in the documentation, nor is it listed as a change from ColdFusion 8.   It is highly inconsistent, as it does not apply to all entities.  This issue makes it impossible to use HTMLEditFormat to create a form for safely editing HTML (as in the example I've provided).  Some of the user's input is effectively lost, as it does not get properly escaped.  It is a nasty backwards-compatibility issue, as applications written for earlier versions of ColdFusion will behave differently.
Method:

<cfparam name="form.myHTML" default=""><html><head><title>HTMLEditFormat() test</title></head><body><cfif Len(form.myHTML)><p>You submitted:</p><pre><cfoutput>#XMLFormat(form.myHTML)#</cfoutput></pre><p>Try hitting submit again.</p><cfelse><p>Try copying the HTML markup below into the form and submitting it.</p><pre>&lt;textarea&gt;This is my HTML markup. It has some entities in it, including &amp;amp;, &amp;raquo;, &amp;#60; and &amp;nbsp;.&lt;/textarea&gt;&lt;p&gt;I do not want to lose them.&lt;/p&gt;</pre></cfif><form method="POST"><textarea name="myHTML" rows="10" cols="40"<cfif Len(form.myHTML)> readonly</cfif>><cfoutput>#HTMLEditFormat(form.myHTML)#</cfoutput></textarea><input type="submit"></form></body></html>
Result:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3040920

External Customer Info:
External Company:  
External Customer Name: Mike Nicholls
External Customer Email: 1932664644160A2F992015D5
External Test Config: 02/10/2010

Attachments:

Comments: