escaping - Is there a difference with the HTMLEditFormat function in ColdFusion CF9 versus CF10? -
i'm seeing difference in how htmleditformat works in cf9 , cf10.
htmleditformat(">")
- in cf9: showing ">" (no difference)
- in cf10: showing ">" (double-escaped, seems correct me)
i've looked through cf10 notes , reviewed htmleditformat documentation, cannot find mention of there being difference in how function works. know of difference, or know of documentation proves there no difference? ...or know of other settings (coldfusion or web server) might cause work different?
(this question not duplicate because not asking encodeforhtml
. understand ideal solution, asking understand why htmleditformat
might different in cf9 vs. cf10.)
i can't imagine why function behave differently. when it's planned deprecation going cf 10. chance, calling within cfinput
tag?
<cfinput id="foo" value="#htmleditformat(somevalue)#" />
if so, in cf6 - cf9, tag uses htmleditformat()
on values automatically. calling 2nd instance of htmleditformat()
doesn't affect output. cf 10+ updated tag use encodeforhtml()
on values. if throw in htmleditformat()
, you're double-encoding output.
for better security, should stop using htmleditformat()
, start using encodeforhtml()
if it's available (cf10+). of coldfusion 11, htmleditformat()
has been officially deprecated , coldfusion 12, function should removed completely.
htmleditformat()
encodes 4 characters: <, >, &, "
.
encodeforhtml()
encodes every character, including utf-8 characters. updated "encodefor" functions contextual, have pick right on right context (html, htmlattribute, js, css, xml, etc.).
Comments
Post a Comment