esapi issue

53 views
Skip to first unread message

Jim Priest

unread,
Jul 26, 2012, 12:28:19 PM7/26/12
to cfunifo...@googlegroups.com
Just curious... is cfUniform doing anything under the hood to clean/sanitize form inputs?

I'm tinkering around with the ESAPI library in CF9.

These all work:
<uform:option display="#rc.esapi.encodeForHTMLAttribute(category.getCategoryName())#" value="1"/>
<uform:option display="#rc.esapi.encodeForHTMLAttribute(category.getCategoryName())#" value="#rc.esapi.encodeForHTMLAttribute(1)#"/>

But if I do:

<uform:option display="#rc.esapi.encodeForHTMLAttribute(category.getCategoryName())#" value="rc.esapi.encodeForHTMLAttribute(category.getCategoryID())#"/>

It fails:

            Either there are no methods with the specified method name and argument types or the encodeForHTMLAttribute method is overloaded with argument types that ColdFusion cannot decipher reliably. ColdFusion found 0 methods that match the provided arguments. If this is a Java object and you verified that the method exists, use the javacast function to reduce ambiguity. Message The encodeForHTMLAttribute method was not found.


I'm using ORM and thought maybe getCategoryId() was returning something odd but if I do:

IsNumeric( getCategoryId() )  it returns true?

Any ideas? 

Jim       

Dan Wilson

unread,
Jul 26, 2012, 12:38:26 PM7/26/12
to cfunifo...@googlegroups.com
That error usually means you are trying to call a method on a string.

Get to a screen that causes that error, then Dump out  "rc.esapi"

It's probably an empty string for some reason.


DW


Jim       

--
You received this message because you are subscribed to the Google Groups "cfUniForm-users" group.
To post to this group, send email to cfunifo...@googlegroups.com.
To unsubscribe from this group, send email to cfuniform-use...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cfuniform-users?hl=en.



--
Plutarch - "The mind is not a vessel to be filled but a fire to be kindled."

Jim Priest

unread,
Jul 26, 2012, 12:57:58 PM7/26/12
to cfunifo...@googlegroups.com
Dump ( rc.esapi ) = object of org.owasp.esapi.reference.DefaultEncoder

it doesn't appear to be anything related to cfUniform.

I setup:

<cfloop array="#rc.sections#" index="section">
#section.getSectionID()#, #section.getSectionName()#<br>
</cfloop>

Which gives me:

1, Management
2, Immediate Office
3, Resource Management
4, PIQA

For whatever reason it doesn't like the ID.

Maybe I'll ping Jason and see if he's seen this before.

Jim

Marc Esher

unread,
Jul 26, 2012, 1:03:05 PM7/26/12
to cfunifo...@googlegroups.com
Jim, is this a typo:

value="rc.esapi.encodeForHTMLAttribute(category.getCategoryID())#"/>

it's missing a pound sign

On Thu, Jul 26, 2012 at 12:28 PM, Jim Priest <pri...@thecrumb.com> wrote:

Jim Priest

unread,
Jul 26, 2012, 1:15:42 PM7/26/12
to cfunifo...@googlegroups.com
Oops. That was just a gmail  cut-n-paste error.

Doing more testing :

<cfloop array="#rc.sections#" index="section">
#section.getSectionID()#, #section.getSectionName()#<br>
</cfloop>

Gives me:

1, Management
2, Immediate Office
3, Resource Management
4, PIQA



<cfloop array="#rc.sections#" index="section">
#rc.esapi.encodeForHTML( section.getSectionID() )#
,#rc.esapi.encodeForHTML( section.getSectionName() )#<br>
</cfloop>

Throws error:

Detail Either there are no methods with the specified method name and argument types or the encodeForHTML method is overloaded with argument types that ColdFusion cannot decipher reliably. ColdFusion found 0 methods that match the provided arguments. If this is a Java object and you verified that the method exists, use the javacast function to reduce ambiguity. 
Message The encodeForHTML method was not found.



<cfloop array="#rc.sections#" index="section">
#rc.esapi.encodeForHTML(1)#
,#rc.esapi.encodeForHTML(section.getSectionName())#<br>
</cfloop>

Substituting the variable for a number - works fine.


Thought maybe ORM was returning something odd but:

<cfloop array="#rc.sections#" index="section">
#IsNumeric( section.getSectionID() )#
,#rc.esapi.encodeForHTML(section.getSectionName())#<br>
</cfloop>

I get back:

YES ,Management
YES ,Immediate Office
YES ,Resource Management
YES ,PIQA


Weird.... 

Jim

Jim Priest

unread,
Jul 26, 2012, 1:25:37 PM7/26/12
to cfunifo...@googlegroups.com
More...

<cfset i = 1>
<cfloop array="#rc.sections#" index="section">
 #rc.esapi.encodeForHTML( i )#
,#rc.esapi.encodeForHTML(section.getSectionName())#<br>
<cfset i = i + 1>
</cfloop>

Eliminating the id,  fails w/same error.



<cfset i = 1>
<cfloop array="#rc.sections#" index="section">
#rc.esapi.encodeForHTML( "jim" & i )#
,#rc.esapi.encodeForHTML(section.getSectionName())#<br>
<cfset i = i + 1>
</cfloop>

Works... 

So this seems like a bug, no?? 

Jim

Dan Wilson

unread,
Jul 26, 2012, 1:27:47 PM7/26/12
to cfunifo...@googlegroups.com

Try java cast on the number just to see if it hates numbers.

--

Jim Priest

unread,
Jul 26, 2012, 3:05:05 PM7/26/12
to cfunifo...@googlegroups.com
Yep.  I've been talking to Jason Dean... the ESAPI encoders expect a string:

<cfloop array="#rc.sections#" index="section">
#rc.esapi.encodeForHTML( javaCast("string", section.getSectionID()) )#
,#rc.esapi.encodeForHTML( section.getSectionName() )#<br>
</cfloop>

Works...




Reply all
Reply to author
Forward
0 new messages