cflocation url encoding
144 views
Skip to first unread message
W. Williams
Sep 29, 2016, 5:34:59 PM9/29/16
to Lucee
Hey all,
We are moving a client from Railo to Lucee and we have come across an interesting issue.
test1.cfm
<cflocation url="test2.cfm?message=This+is+a+test" addtoken="false">
test2.cfm
<cfoutput>
#URL.Message#
</cfoutput>
Railo shows: This is a test message
Lucee shows: This+is+a+test+message
In Railo if you entered "test2.cfm?message=This+is+a+test" in a cflocation it would just send the URL as is. In lucee it URL encodes it to "test2.cfm?message=This%2Bis%2Ba%2Btest".
We have disabled cross site scripting in admin and that didn't help. Can someone give this a try or have you seen this before. I's there a difference in the way lucee handles cflocation?
Thanks in advance!
Igal @ Lucee.org
Sep 29, 2016, 7:28:44 PM9/29/16
to lu...@googlegroups.com
--
Get 10% off of the regular price for this years CFCamp in Munich, Germany (Oct. 20th & 21st) with the Lucee discount code Lucee@cfcamp. 189€ instead of 210€. Visit https://ti.to/cfcamp/cfcamp-2016/discount/Lucee@cfcamp
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/6d1e9a7b-29a5-4ea6-83a5-272bcb3d421b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
W. Williams
Sep 29, 2016, 9:32:03 PM9/29/16
to Lucee
Thought I included that info :( Lucee 5, most recent stable release!
Igal @ Lucee.org
Sep 29, 2016, 9:33:32 PM9/29/16
to lu...@googlegroups.com
Lucee 5, most recent stable release!
I'm sorry, but that's not a valid version number.
Igal Sapir
Lucee Core Developer
Lucee.org
W. Williams
Sep 30, 2016, 12:22:03 AM9/30/16
to Lucee
Lucee 5.0.0.254
W. Williams
Sep 30, 2016, 12:22:29 AM9/30/16
to Lucee
We are using mod_proxy_jp as the connector within apache.
Message has been deleted
W. Williams
Oct 1, 2016, 10:55:17 PM10/1/16
to Lucee
Can someone give this a try for us. Just trying to see if it is our install or just a difference between Railo and Lucee. Is there a way to change this behavior if it is just Lucee?
Thanks in advance!
Denard Springle
Oct 2, 2016, 11:31:02 AM10/2/16
to Lucee
While I have not tested this behavior as being different between Railo and Lucee, I feel the proper behavior is being done by Lucee in this case. Might I suggest taking a different approach here altogether?
Where XXX is usually a number or combination of letters you then use within test2.cfm:
Or, if you expect a number of different messages you could switch/case it and have a catch-all defaultCase, etc.
And in test2.cfm:
Where you URL encode your message text and then decode it and wrap it in encodeForHTML() to prevent it being used for XSS attacks.
First, your code is highly insecure. Passing message data around on the URL like that is inherently dangerous and could lead to reflected XSS attacks against your site. The better approach is to do something like:
test2.cfm?message=XXXWhere XXX is usually a number or combination of letters you then use within test2.cfm:
if(URL.message eq XXX) {
writeOutput( 'This is my test message' );
}Or, if you expect a number of different messages you could switch/case it and have a catch-all defaultCase, etc.
At the very least, if you don't want to do that, then you should do something like this:
test2.cfm?message=#urlEncodedFormat( 'My test message' )#And in test2.cfm:
writeOutput( encodeForHTML( urlDecode( URL.message ) ) );Where you URL encode your message text and then decode it and wrap it in encodeForHTML() to prevent it being used for XSS attacks.
The safer approach is still to use alpha/numeric code you check for and then present your message based on the code passed in.
HTH
-- Denny
Reply all
Reply to author
Forward
0 new messages