Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

encodeForHtml() vs htmlEditFormat()

Tags:

coldfusion

coldfusion-10

esapi

encodeForHtml() (new in CF10) vs htmlEditFormat(), how are they different?

like image 719
Henry Avatar asked May 15 '12 08:05

Henry

2 Answers

I think it is same as encodeForHTML function in java's OWASP ESAPI. More secure to avoid XSS attack to use content in HTML.

<cfsavecontent variable="htmlcontent">
<html>
    <head>
        <script>function hello() {alert('hello')}</script>
    </head>
    <body>
        <a href="#bookmark">Book Mark &amp; Anchor</a><br/>
        <div class="xyz">Div contains & here.</div>
        <IMG     SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#    x27&#x58&#x53&#x53&#x27&#x29>
    <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
</body>
</html></cfsavecontent>

<cfoutput>#htmleditformat(htmlcontent)#</cfoutput>
<br />
<cfoutput>#encodeforhtml(htmlcontent)#</cfoutput>
like image 191
Pritesh Patel Avatar answered Nov 17 '22 22:11

Pritesh Patel

EncodeFor* functions are based on the OWASP ESAPI libraries. The main difference is that HTMLEditFormat() merely replaces "bad" strings, like &, < and > with good strings, like &amp;, &lt; and &gt; whereas EncodeForHTML() is smarter, with one advantage being it can recognize content that is already encoded and not double-encode it.

For example, if a user submitted the following content to your site:

<div>
Here is <i>test</i> html content includes<br/>
<script>alert('hello')</script>
Notice how &amp; rendered with both functions.
</div>

Both HTMLEditFormat() and EncodeForHTML() would properly escape the '<' and '>' characters. But HTMLEditFormat() would blindly encode the & again such that your output looks like:

... how &amp;amp; rendered ...

Where it would otherwise look like with encodeForHTML():

... how &amp; rendered ...

HTMLEditFormat() couldn't tell that the ampersand was already encoded, so it re-encoded it again. This is a trivial example, but it demonstrates how the ESAPI libraries are smarter and, therefore, more secure.

Bottom line, there's no reason to use HTMLEditFormat() in CF10+. For maximum protection, you should replace the Format functions with the Encode functions.

The complete example above and more background are at isummation: http://www.isummation.com/blog/day-2-avoid-cross-site-scripting-xss-using-coldfusion-10-part-1/

like image 5
Brian Ghidinelli Avatar answered Nov 17 '22 22:11

Brian Ghidinelli
Sign in to Comment

Related questions

Does java.lang.Runtime report the memory usage for the whole Coldfusion server or just one page?
Is the "Maximum number of POST request parameters" limit trappable?
Coldfusion jQuery getJSON : Getting WDDX instead of JSON
Dynamic Alphabetical Navigation
Cannot find CFML template for custom tag
Does IsValid() protect from XSS?
Is this an example of an SQL Injection Attack?
How would you go about executing a database query based on the value from a form select element?
Test whether a value is a string in Coldfusion
What could break when migrating from Adobe ColdFusion to an alternative CFML engine?
Using Maven for Coldfusion project
ColdFusion: Trying to query database in CFScript
Return JSON data in response in ColdFusion
Is it necessary to var scope loop variables in CFScript?
Which web frameworks are available for CFML? [closed]
ColdFusion: Does anyone use WDDX?
Why does arrayAppend return true and listAppend return the list?
Creating QR Code with Coldfusion
Why is ListAppend non destructive, while ArrayAppend and StructInsert are both destructive?
ColdFusion/Javascript Escape Single Quote

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!