How do you handle the encoding of & in forms via HTMLEditFormat() and display with XMLFormat() properly?

[Thorsten Eilers]

Hi,

in the model I sanitize form inputs with

private void function sanitize() {       
        this.Header = HTMLEditFormat(this.Header);
}

then save it to the db.

In the form I use
#textField(objectName="news", property="Header", prepend="<div class=""col-md-9"">")#

The ampersand & is encoded to  &amp;, on the second save action to &amp;amp; then to  &amp;amp;amp; .

How do I handle this case correct?

Regards
Thorsten

[Risto]

Hi,

This is really a CFML question. What version of coldfusion are you using? If you are using a really old version like CF9 just use scriptprotect=true in application.cfc
If you are using more modern versions such as (10,11,2016-Lucee 4.5) then use encodeForHTML()
https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-e-g/encodeforhtml.html

Lucee has ESAPIEncode/decode but I'm pretty sure it's deprecated in favour of encodeForHTML()

Also, don't forget that if you have any functions checking length, left,right etc that it will change the string length with the encoding.
Then use DecodeforHTML() before resubmitting otherwise you will just keep encoding your encoding.




[Risto]

Canonicalize() will also take care of your problem if you do multiple encodings.
https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-c-d/Canonicalize.html

[Thorsten Eilers]

Thanks Risto. At the moment I use Lucee 4.5.

[Thorsten Eilers]

In the model I tried
this.Header = ESAPIEncode( "HTML", this.Header );
in the view
#ESAPIEncode( "HTML", news.Header )#

Makes no difference. The & is allways displayed as &amp;

I guess I miss a step.

[Per Djurner]

I typically never change anything going in to the database.

I just make sure I never output it in an unsafe way.

Curious if others do it that way too or if you modify things going in to the database as well?

--
You received this message because you are subscribed to the Google Groups "CFWheels" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cfwheels+u...@googlegroups.com.
To post to this group, send email to cfwh...@googlegroups.com.
Visit this group at https://groups.google.com/group/cfwheels.
For more options, visit https://groups.google.com/d/optout.

[Thorsten Eilers]

Do you think I am paranoid? ;-)

[Risto]

Hi Thorsten,

If you go to http://cflive.net/ and select Lucee try either one of these versions

V1
<cfset header =  "this & is & a test">

<cfset myencode = ESAPIEncode( "HTML", Header )>
 
<cfdump var = "#myencode#">
 
<cfset mydecode = ESAPIDecode( "URL", myencode )>
 
<cfdump var = "#mydecode#">

or v2

<cfset header =  "this & is & a test">

<cfset myencode = EncodeForHTML(header)>
 
<cfdump var = "#myencode#">
 
<cfset mydecode = canonicalize(myencode,false,false)>
 
<cfdump var = "#mydecode#">


maybe a combination will work for your exact situation

[Thorsten Eilers]

Thanks Risto, i will try it on wednesday.

[Chris Peters]

I agree with Per. You want for the database to store the data, not how it it should be presented in HTML. In theory, if you wanted to output that same data into a non-HTML format, you then have HTML-encoded entities in there to un-encode.

--

Chris Peters
Web Developer
Liquifusion Studios
chris....@liquifusion.com
Skype: liquifusion.support
www.liquifusion.com

[Thorsten Eilers]

I guess you are right as allways.

I should not encode the user input before saving it to the database.

I am thinking now to validate any user input with the wheels inbuild functions and add a Jsoup Validation on top of it to either

- Strip out all content what is not whitelisted

or

- reject the nonconforming user input and display a form error message to the user

On the output in the views I will use encodeForHTML() on Lucee 4.5.

What do you think? Is this approach better?

And should I better strip out or reject nonconforming user Input?