3

I also asked the same question over at the Adobe ColdFusion forums:

I just recently upgraded to ColdFusion 11 from ColdFusion 10 and noticed that quotation marks are not being escaped in ColdFusion 11 when those are entered in a textbox.

Here is an image from my ColdFusion 10 server where the quotation marks are automatically being escaped.

CF10 - Form Field

Here's the view source from Google Chrome:

CF10 - Google Chrome View Source

Here is an image from my ColdFusion 11 server where the quotation marks are NOT being escaped.

CF11 - Form Field

Here's the view source from Google Chrome:

CF11 - Google Chrome View Source

Does anyone know if this expected behavior or a bug? Do we really have to use EncodeForHTML() on every form field value now?

Update: This is what the form field code looks like:

<cfinput type="text" name="NAME_HERE" 
    value="#VARIABLE_HERE#" 
    size="60" maxlength="1250">
Leigh
  • 28,765
  • 10
  • 55
  • 103
Dave Cordes
  • 31
  • 3
  • 1
    How exactly are you putting the value into the input's attribute? i'd say you should always encode it. – Kevin B Jul 09 '15 at 20:42
  • This is how the form field looked. – Dave Cordes Jul 09 '15 at 21:15
  • 1
    I haven't used CF 11 yet, but I assumed that as of CF 10, CFINPUT uses encodeForHTMLAttribute() ('value' is an attribute') behind the scenes instead of HTMLEditFormat(), That is what it uses in CF 9 and lower. Maybe CF 10 uses HTMLEditFormat() as well? – Adrian J. Moreno Jul 09 '15 at 21:23
  • Ah, cfinput. I never used any of those tags. That would explain the confusion. – Kevin B Jul 09 '15 at 21:24
  • 1
    Yeah, this code is legacy stuff from 7-8 years ago so we used cfinput a lot back then. When I use a normal input tag it doesn't get escaped so cfinput no longer escapes anything on ColdFusion 11. I wonder if this was documented anywhere. – Dave Cordes Jul 09 '15 at 21:41
  • Does anyone know if ColdFusion 11 stopped escaping values in cfinput tags? From reading this post it seems like ColdFusion 10+ should be using EncodeForHTML() by default on all values contained in cfinput tags.[link](http://stackoverflow.com/questions/23941113/is-there-a-difference-with-the-htmleditformat-function-in-coldfusion-cf9-versus) – Dave Cordes Jul 09 '15 at 21:53

0 Answers0