Talking about HTMLEditFormat()

22 views
Skip to first unread message

Ronan Lucio

unread,
Nov 26, 2009, 7:43:07 AM11/26/09
to ra...@googlegroups.com
Hi All,

I use (as all of you) to treat all input fields.

For string fields I use to convert text into HTML Entities.
The problem is I need to use 3 function calls for that:

text = replace( text, chr(10), "<br />", "all" );
text = stripCR( text );
text = HTMLEditFormat( text );

My doubt is:

1) Shouldn't it be grouped in only one function -something like secureInputText()- ?

2) Shouldn't we have a function to validate (and/or exclude) invalid characters (like that bellow decimal 32 from ASCII table)?

CFML is primarily a web language, and as such it's suppose to have functions to deal with known problems from web environment like validating the encode inputs and so on.
For those that have read the book "Building Scalable Web Sites" these questions might have more sense.

Thanks,
Ronan

Todd Rafferty

unread,
Nov 26, 2009, 7:56:54 AM11/26/09
to ra...@googlegroups.com
Feel free to create a user defined function that wraps 3 function calls and returns the result. 

Also, validation objects are easy to create, but you need to create them. There are generic cfml functions such as, isValid('whatever',input), but it's only as valid as you allow it. 

If you're looking for safety from XSS attacks, well, you need to plug it in or code it yourself at the moment. One idea would be to open up a uservoice feature enhancement request to possibly get anti-sammy embedded into Railo. Dan Switzer II writes about it here:

Even ACF doesn't have this built in because Dan is trying to drum up votes to get it built in ( http://blog.pengoworks.com/index.cfm/2009/10/14/Vote-now-to-have-ColdFusion-provide-better-XSS-protection ).

~Todd Rafferty ** Volunteer Railo Open Source Community Manager ** http://getrailo.org/

Todd Rafferty

unread,
Nov 26, 2009, 8:01:05 AM11/26/09
to ra...@googlegroups.com
Here you go:

~Todd Rafferty ** Volunteer Railo Open Source Community Manager ** http://getrailo.org/



Michael Offner-Streit

unread,
Nov 26, 2009, 8:01:57 AM11/26/09
to ra...@googlegroups.com
i think the most importend point is that you have all the basic
functionality to do things like this with only some lines of code.

having functions/tags that are to focussed on a specific need, this
function will never match your requirments or they are to complicated,
because they have tons of arguments.

but you can open a uservoice for it and when there are many votes for
it, we will implement
http://railo.uservoice.com/pages/21016-general


/micha


Ronan Lucio schrieb:
> --
>
> You received this message because you are subscribed to the Google
> Groups "Railo" group.
> To post to this group, send email to ra...@googlegroups.com.
> To unsubscribe from this group, send email to
> railo+un...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/railo?hl=en.


--
Michael Offner-Streit
CTO
Railo Technologies GmbH
michael...@railo.ch
www.getrailo.com

Mailing List (english): http://groups.yahoo.com/group/railo_talk/
Mailing List (german): http://de.groups.yahoo.com/group/railo/
Linked in: http://www.linkedin.com/e/gis/71368/0CF7D323BBC1
Issue Tracker: http://jira.jboss.org/jira/browse/RAILO
Blog: http://www.railo-technologies.com/blog


Ronan Lucio

unread,
Nov 26, 2009, 8:34:11 AM11/26/09
to ra...@googlegroups.com
Hi Todd,

Thank you for the answer.
No problem creating a function like that. Actually, it's already done.

My doubt is if it should be execute natively from CFML or extended via third function.
Personally prefer the first option (even because I already have it as the last option) because it would be broadly available and documented in all CFML docs.

If I public a function I'll reach only developers that are looking for that.
If CFML had a function like that, it would reach almost all CFML users, even a part of that one didn't know what XSS means.

For example: Do you prefer having a <cfqueryparam> tag to treat SQL Injection or do you prefer a third public available function.
How many websites would be protected with it in first option and how many sites would be protected in last option?

Anyway, thank you for answer the question and share your thoughts and the links about the issue.

Thank you,
Ronan

2009/11/26 Todd Rafferty <to...@getrailo.org>

--

Todd Rafferty

unread,
Nov 26, 2009, 8:39:53 AM11/26/09
to ra...@googlegroups.com
Right, if you're trying to get this pushed as a whole CFML implementation so that all the engines implement it, then you should approach http://www.opencfml.org/ - since, they're the deciding body of cfml. All we can do is either support a community project or if enough votes are on it, perhaps Railo will implement it and hope the other cfml engines follow suite.

~Todd Rafferty ** Volunteer Railo Open Source Community Manager ** http://getrailo.org/

Ronan Lucio

unread,
Nov 26, 2009, 8:50:07 AM11/26/09
to ra...@googlegroups.com
Hi Michael,

2009/11/26 Michael Offner-Streit <michael...@railo.ch>

i think the most importend point is that you have all the basic
functionality to do things like this with only some lines of code.

Yes, I agree.
 
having functions/tags that are to focussed on a specific need, this
function will never match your requirments or they are to complicated,
because they have tons of arguments.

In your opinion, treating string inputs against XSS attacks is a specific need?
My opinion is it's in the nature of the web development.
 
but you can open a uservoice for it and when there are many votes for
it, we will implement

Well, I'm sorry if this list isn't the right place for talk about that subjects.
I just don't know where is the better place to discuss about these concerns. So I thought it would be here.

Besides, I don't know if uservoice is that place, once it would compete with long date projects like "Implement hibernate", "Full cfscript support" and "Memcached", that of course are, also, very important Requirements to be added to the project and, of course, more important than a simple function implementation.

Anyway, don't worry. It's just thoughts...
I will continue to implementing these functions internally (or publicly, if that helps someone). I just thought that, for the web nature of the CFML applications, it would be nice having it as a native implementation.

Thank you for your answer and thoughts,
Ronan

Todd Rafferty

unread,
Nov 26, 2009, 9:02:24 AM11/26/09
to ra...@googlegroups.com
Besides, I don't know if uservoice is that place, once it would compete with long date projects like "Implement hibernate", "Full cfscript support" and "Memcached", that of course are, also, very important Requirements to be added to the project and, of course, more important than a simple function implementation.

Uservoice is the correct place and the fact that hibernate / full script support is there should not discourage you. XSS support is indeed important, but it's also ever changing as hackers are always trying to find new ways to bypass parsers, etc.

Hibernate / Scripting support is on the timeline for Q1 2010, so those votes will eventually get refunded back into the system and the community can put those points back into topics that are important to them.

This morning, I just marked 1 project as completed and declined 2 because the community is taking care of them. Votes should be refunded soon if they haven't been already.

Ronan Lucio

unread,
Nov 26, 2009, 9:03:31 AM11/26/09
to ra...@googlegroups.com
Todd,

2009/11/26 Todd Rafferty <to...@getrailo.org>
Just one more point:
It isn't only about XSS attacks at all.

If an application have a form with an name input field and a user input an special character inside it.
Let's suppose an ENTER (ASCII 13).

name = "John " & chr(13) & " John";

If you need generate an XML it would generate:

<name="John
 John">

Well, it's easy: just use stripCR(name).
And what about if the user insert another character like a TAB, a DEL, a BACKSPACE and so on?

OK, no problem, you just right a function that accept only alphanumeric characters.
Hmm... what about "/", ",", ":", "@"?
Well, so you right a function with a regexp that accept only a whitelist of characters.

But, how many time almost yours will need to reach that thoughts?

It would be nice to have a native function for that.

For the same reason as <cfqueryparam>: We don't need to know the exactly implementation of the <cfqueryparam> tag, but we are happy for it exists and keep this safety for us.

And it's one of the reasons and examples that we use to advocate in favor of CFML.

...just thoughts...

Ronan

Todd Rafferty

unread,
Nov 26, 2009, 9:10:57 AM11/26/09
to ra...@googlegroups.com
Ronan,

You are responsible for the business rules of what acceptable characters are allowed in your application. CFML alone has all the functions to support these rules in the form of isValid(), usage of regular expression, etc. However, no one function is going to 'wave the magic wand' and fix all that - not to mention, my usage of acceptable characters may differ from yours. 

So, again... would you prefer that all engines disallow everything with a sweeping hand? Then you would complain that you need a character entity and I would complain about how it breaks my application. This is why the user is responsible for implementing the rules appropriately to their needs.

~Todd Rafferty ** Volunteer Railo Open Source Community Manager ** http://getrailo.org/



Ronan

--

Ronan Lucio

unread,
Nov 26, 2009, 10:11:24 AM11/26/09
to ra...@googlegroups.com
Hi Todd,

2009/11/26 Todd Rafferty <to...@getrailo.org>
Right, if you're trying to get this pushed as a whole CFML implementation so that all the engines implement it, then you should approach http://www.opencfml.org/ - since, they're the deciding body of cfml.

Thank you for your attention.
That's what I was looking for.

Ronan

Todd Rafferty

unread,
Nov 26, 2009, 10:14:13 AM11/26/09
to ra...@googlegroups.com
The "voice of the cfml developers" on opencfml.org would be Rob Brooks-Bilson, Raymond Camden, Petter J. Farrell.  Basically anyone with the "Community" beside their name as everyone else is vendor specific.

~Todd Rafferty ** Volunteer Railo Open Source Community Manager ** http://getrailo.org/

Stefan

unread,
Nov 26, 2009, 1:40:29 PM11/26/09
to Railo
What I do with all these "good to have" functions, like isValidEmail
(), stripHTML(), queryToArrayOfStructs() is that I put them all in a
component cfextended.cfc. Then I load that into server or application
scope and get easy access to them. <cfif server.cfextended.isValidEmail
('dyslectics have more fnu')>
It have saved me plenty of time.

Gert Franz

unread,
Nov 26, 2009, 2:10:27 PM11/26/09
to ra...@googlegroups.com
Well you copy them into the corresponding folder and then you have them as
internal functions. Just have a look here:

http://www.railo.ch/blog/index.cfm/2009/7/23/Railo-31-Building-your-own-Buil
tInFunction

Greetings from Switzerland
Gert Franz

Railo Technologies Professional Open Source
skype: gert.franz ge...@getrailo.com
+41 76 5680 231 www.getrailo.com


-----Ursprüngliche Nachricht-----
Von: Stefan [mailto:stefan.v...@googlemail.com]
Gesendet: Donnerstag, 26. November 2009 19:40
An: Railo
Betreff: [railo] Re: Talking about HTMLEditFormat()

Stefan

unread,
Nov 26, 2009, 2:35:53 PM11/26/09
to Railo
Wow, that is really cool!

On Nov 26, 8:10 pm, "Gert Franz" <g...@getrailo.com> wrote:
> Well you copy them into the corresponding folder and then you have them as
> internal functions. Just have a look here:
>
> http://www.railo.ch/blog/index.cfm/2009/7/23/Railo-31-Building-your-o...
> tInFunction
>
> Greetings from Switzerland
> Gert Franz
>
> Railo Technologies      Professional Open Source
> skype: gert.franz       g...@getrailo.com
> +41 76 5680 231www.getrailo.com
>
> -----Ursprüngliche Nachricht-----
> Von: Stefan [mailto:stefan.vesterl...@googlemail.com]

denstar

unread,
Nov 26, 2009, 4:14:27 PM11/26/09
to ra...@googlegroups.com
There are some Ant build scripts (+generic install.cfc &c) for
creating Railo extensions, too. Extensions are a great way to share
things like this.

For custom tag extensions, it's a matter of setting a property and
then running the build.

There's even a couple of horribly written MXUnit tests for testing the
extension install and whatnot.

Anybody want to be the maintainer of a public railo project for these
tags? I'll even create the initial build, if there's some existing
sources.

If the project is popular, that would be a good argument for inclusion
in the core, I reckon, but I'm telling y'all-- these extensions and
plugins are going to revolutionize the way you do stuff. It's so easy
to just pick what you want and have it magically installed... think
package management if you do *nix type stuff.

Very cool.

:den

--
It is easy to hate and it is difficult to love. This is how the whole
scheme of things works. All good things are difficult to achieve; and
bad things are very easy to get.
Confucius

Ronan Lucio

unread,
Nov 27, 2009, 7:39:47 AM11/27/09
to ra...@googlegroups.com
Hi Gert,

It's really amazing.
The only problem I see is that it breaks a little the software maintainability, once on every function update I need to send it to the infra-structure department to put it in the right place.

Is there a way to upload this files/functions via railo admin?

Thank you,
Ronan

2009/11/26 Gert Franz <ge...@getrailo.com>

Gert Franz

unread,
Nov 27, 2009, 9:27:26 AM11/27/09
to ra...@googlegroups.com

Sure there is J

 

Enter Railo Extensions…

 

http://wiki.getrailo.org/wiki/Extensions:overview

 

Greetings from Switzerland

Gert Franz

 

Railo Technologies       Professional Open Source

skype: gert.franz            ge...@getrailo.com

+41 76 5680 231               www.getrailo.com

 

Ronan Lucio

unread,
Nov 27, 2009, 10:07:26 AM11/27/09
to ra...@googlegroups.com
Thank you Gert,
Ronan

2009/11/27 Gert Franz <ge...@getrailo.com>
Reply all
Reply to author
Forward
0 new messages