Is CFDocument supported in CFSscript specifically with Adobe ColdFusion 2021?
I know that this was not possible in previous versions (but is possible with Lucee). However, I can't find any official documentation either way. I'm hoping someone can point me to any relevant documentation on this.
Thanks!
Yes, it is possible to use cfdocument in cfscript, in ColdFusion 2021.
To be clear, nearly all tags have been supported as cfscript since CF11, released in 2014. Here's the documentation for that from the intro section in the CFML Reference:
As general syntax for script support, a ColdFusion tag is invoked like a function call in CFSCRIPT block with tag name is used for the function name. The tag attributes are passed as comma separated name-value pairs to it, like arguments are passed to a function. The child tag (and the body in general) is defined within a curly brackets, just like a function block.
So as an example, this:
<cfdocument format="pdf">
test
</cfdocument>
could become:
<cfscript>
cfdocument(format="pdf"){
writeoutput("test");
};
</cfscript>
Note how you must use a writeoutput within the body of the document to provide the content of the PDF, even though the cfdocument does not require any corresponding cfoutput. (FWIW, some CFML tags do, like cfsavecontent.) And of course you can use cfdocumentitem, cfdocumentsection, etc. See the docs page about how nested tags are handled in script.
Finally, it's indeed true that Adobe never changed each page of the CFML Reference to indicate a) this change to support all tags as script, nor b) to show using each tag as script.
While it's unfortunate that the CFML Reference is not open source, for us to propose changes, the cfdocs.org site is open source--and I just noticed that their page on cfdocument does not show using it as script, so I will try to offer a PR.
Related
I have a page template in Tridion 2011 with Razor code that prints information based on RenderComponentPresentation() as the first thing in the page. No other markup comes before it, because the component, not the page, contains the initial markup. Unless I put at least one character before the first RenderComponentPresentation in the published output, the template refuses to render any presentations.
So, for example, if this is all that is in the layout TBB this works (in my real code the tcms are real of course):
<
#RenderComponentPresentation("tcm:mytcm","tcm:myothertcm")
but this does not
#RenderComponentPresentation("tcm:mytcm","tcm:myothertcm")
The first prints the contents of the component preceded by the "<", whereas the second does nothing at all. I don't want to have ANY markup directly at the start of the page template, I want the first thing to be the component. Is it possible?
I've just done a quick test in Template Builder using the latest version of the Razor Mediator (1.2) and couldn't replicate your issue.
Maybe you could try:
<text></text>
#RenderComponentPresentation("tcm:mytcm","tcm"myothertcm")
It won't render any additional markup but may trick the mediator into doing what you want (though like I said, I can't replicate your problem so can't verify whether it does).
Normally with Razor you iterate over any and all Component Presentations on the page, and right now I'm working with
#foreach(var cp in ComponentPresentations){
#cp.RenderComponentPresentation()
}
This will render every component on the page, regardless of predefined schema's or templates. Your issue however suggest a problem elsewhere. What kind of output does your page template generate (do mind its the page template using a compound template which in turn includes the Razor TBB you describe here). Is it .aspx, HTML or other? And what is the Component templates' output? is it an HTML fragment, or anything else?
As far as you syntax goes, that should be just fine other than the template invocation:
#RenderComponentPresentation("tcm:x-xxx-xx", "tcm:xx-xxx-xx")
I have a feeling this code only works when used within HTML tags, though, but that's just a hunch.
Bit of a hack but have you tried:
<text>#RenderComponentPresentation("tcm:x-xxx-xx", "tcm:xx-xxx-xx")</text>
or
#Html.Raw(RenderComponentPresentation("tcm:x-xxx-xx", "tcm:xx-xxx-xx"))
Disclaimer: not really used Razor mediator. Just Razor.
I'm looking for a complete list of tags that are not available in ColdFusion 9 script syntax.
Example:
CFSetting: is one example that is available in Railo but not in CF9 for use in cfscript
CFDocument: I can't find this one so far.
Not an official list by any measure, but this is a list I presented to a private forum a while back, and it didn't receive too much correction (and those corrections have been integrated). It was in the context of what CF does and doesn't need to be implemented, to claim 100% coverage in CFScript.
Summary of omissions:
These ones are significant omissions:
<cfcollection>
<cfexchangecalendar>
<cfexchangeconnection>
<cfexchangecontact>
<cfexchangefilter>
<cfexchangemail>
<cfexchangetask>
<cfexecute>
<cfindex>
<cfinvoke> (support for dynamic method names)
<cflogin>
<cfloginuser>
<cflogout>
<cfmodule>
<cfoutput> (implementation of query looping with grouping)
<cfparam> (fix the bug in that enforced requiredness doesn’t work (ie: param name="foo";))
<cfsearch>
<cfsetting>
<cfwddx>
<cfzip>
<cfzipparam>
There’s a reasonable case for these ones to be implemented:
<cfassociate>
<cfcache>
<cfcontent>
<cfflush>
<cfhtmlhead>
<cfheader>
<cfntauthenticate>
<cfprint>
<cfschedule>
<cfsharepoint>
These ones... I’m ambivalent:
<cfgridupdate>
<cfinsert>
<cfobjectcache>
<cfregistry>
<cfreport>
<cfreportparam>
<cftimer>
<cfupdate>
We don’t need these ones at all, I think:
<cfajaximport>
<cfajaxproxy>
<cfapplet>
<cfcalendar>
<cfchart>
<cfchartdata>
<cfchartseries>
<cfcol>
<cfdiv>
<cfdocument>
<cfdocumentitem>
<cfdocumentsection>
<cffileupload>
<cfform>
<cfformgroup>
<cfformitem>
<cfgraph>
<cfgraphdata>
<cfgrid>
<cfgridcolumn>
<cfgridrow>
<cfinput>
<cflayout>
<cflayoutarea>
<cfmap>
<cfmapitem>
<cfmediaplayer>
<cfmenu>
<cfmenuitem>
<cfpod>
<cfpresentation>
<cfpresentationslide>
<cfpresenter>
<cfselect>
<cfsilent>
<cfslider>
<cfsprydataset>
<cftable>
<cftextarea>
<cftextinput>
<cftooltip>
<cftree>
<cftreeitem>
<cfwindow>
If there's anything here that you think ought to be included in CFScript, please raise an issue here - http://cfbugs.adobe.com/cfbugreport/flexbugui/cfbugtracker/main.html - and cross reference the issue number here.
HTH.
I would argue that there are no commands that are not available as script as you can extend and write the missing bits using cfc's.
Thus wrap your favourite missing <cftag in a cfc and call it using new
However, here is a list of what is supported
http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSe9cbe5cf462523a02805926a1237efcbfd5-7ffe.html
I want to use <cfhtmlhead> in a full script component. But it appears that it has no <cfscript> equivalent.
The CFScript reference is available here.
Is there a work around to use this functionality in a full script CFC?
You would need to write a tag based version that is then included into the script based CFC. I've done this before for things like cfsetting.
I have been working with Coldfusion 9 lately (background in PHP primarily) and I am scratching my head trying to figure out how to 'clean/sanitize' input / string that is user submitted.
I want to make it HTMLSAFE, eliminate any javascript, or SQL query injection, the usual.
I am hoping I've overlooked some kind of function that already comes with CF9.
Can someone point me in the proper direction?
Well, for SQL injection, you want to use CFQUERYPARAM.
As for sanitizing the input for XSS and the like, you can use the ScriptProtect attribute in CFAPPLICATION, though I've heard that doesn't work flawlessly. You could look at Portcullis or similar 3rd-party CFCs for better script protection if you prefer.
This an addition to Kyle's suggestions not an alternative answer, but the comments panel is a bit rubbish for links.
Take a look a the ColdFusion string functions. You've got HTMLCodeFormat, HTMLEditFormat, JSStringFormat and URLEncodedFormat. All of which can help you with working with content posted from a form.
You can also try to use the regex functions to remove HTML tags, but its never a precise science. This ColdFusion based regex/html question should help there a bit.
You can also try to protect yourself from bots and known spammers using something like cfformprotect, which integrates Project Honeypot and Akismet protection amongst other tools into your forms.
You've got several options:
"Global Script Protection" Administrator setting, which applies a regular expression against post and get (i.e. FORM and URL) variables to strip out <script/>, <img/> and several other tags
Use isValid() to validate variables' data types (see my in depth answer on this one).
<cfqueryparam/>, which serves to create SQL bind parameters and validate the datatype passed to it.
That noted, if you are really trying to sanitize HTML, use Java, which ColdFusion can access natively. In particular use the OWASP AntiSamy Project, which takes an HTML fragment and whitelists what values can be part of it. This is the same approach that sites like SO and slashdot.org use to protect submissions and is a more secure approach to accepting markup content.
Sanitation of strings in coldfusion and in quite any language is very important and depends on what you want to do with the string. most mitigations are for
saving content to database (e.g. <cfqueryparam ...>)
using content to show on next page (e.g. put url-parameter in link or show url-parameter in text)
saving files and using upload filenames and content
There is always a risk if you follow the idea to prevent and reduce a string by allow basically everything in the first step and then sanitize malicious code "away" by deleting or replacing characters (blacklist approach).
The better solution is to replace strings with rereplace(...) agains regular expressions that explicitly allow only the characters needed for the scenario you use it as an easy solution, whenever this is possible. use cases are inputs for numbers, lists, email-addresses, urls, names, zip, cities, etc.
For example if you want to ask for a email-address, you could use
<cfif reFindNoCase("^[A-Z0-9._%+-]+#[A-Z0-9.-]+\.(?:[A-Z]{5})$", stringtosanitize)>...ok, clean...<cfelse>...not ok...</cfif>
(or an own regex).
For HTML-Imput or CSS-Imput I would also recommend OWASP Java HTML Sanitizer Project.
I'm being forced/payed to work on a Legacy ColdFusion project (I'm an usual C# programmer) and one peculiarity with CF is that they have they're own tags that are supposed to blend with HTML (bad bad decision, IMO, since it just confuses the hell out of me even with the "starts with cf rule).
Besides this, they have the # character to indicate the start of CF "territory" much alike <% in ASP.Net or $ in Spark or so many equivalents. But this only gets parsed if inside a tag.
My question is: Is there a problem with opening one tag in the begining of the file and closing it, against using only when i'm going to use the # character?
To illustrate here's some code:
<cfoutput>
Some text #SomeVar# Some text.<br />
Some Images some other things #AnotherVar#
</cfoutput>
Against:
Some text <cfoutput>#SomeVar#</cfoutput> Some text.<br/>
Some Images some other things <cfoutput>#AnotherVar#</cfoutput>
Granted, this is might seem trivial for small content but i'm talking about a whole page.
Depending on the page contents, either is fine. There may be a performance impact (minor) by putting all of your page inside the CFOUTPUT tag, because the CFML engine needs to parse and scan the contents of the tag for executable code. Outside of the CFOUTPUT tag, the CFML engine can ignore the page as static content.
If you have CSS and HTML code that uses pound signs (for example named anchors or Hex color codes), you need to escape all pound signs (by adding a second one like "##") when within a CFOUTPUT. Because of this, I generally only put the CFOUTPUT around code I specifically want the CF engine to run.
That said, the CFML engine pays a bit of a performance penalty for constantly opening and closing the CFOUTPUT. If you're looping over come content, put the CFOUTPUT around the entire loop, rather than opening and closing it in each iteration of the loop.
Also, if you're having trouble knowing what code is CFML and what isn't, you might want to get a better IDE/editor for CFML like CFEclipse. It color codes the tags and lets you see the difference between CFML and HTML tags immediately. It's open source.
One problem you might find is that cfoutput is often used to display queries and they can not be nested inside of other cfoutput tags. So this will cause a 'Invalid tag nesting configuration' error
<cfoutput>
<cfoutput query="qFriends">
<li>#qFriends.fname# #qFriends.lname#</li>
</cfoutput>
</cfoutput>
It should not be a big issue but be careful using hex-valued colors, you'll need to escape those with an extra #. If it was me, I would try to break down those huge chunks of content into smaller pieces. Let HTML, JS, Flash and CSS do their jobs and use CF for the server side.
If you want to put cfoutput at the beginning and end of the page, you have to use double sign ## for colors value.