How do you protect css id - coldfusion
I have a value coming in that will ultimately be an html id= attribute. I don't have control over what set the value, so it is possible that it is not safe. I know to check for single quotes and double quotes, but ow do I check to make sure that it clean?
variables.result &= '<div class="alert alert-danger"';
if(attributes.id != "") variables.result &= ' id="#attributes.id#"';
If using ColdFusion to generate the variable name, you could use the "variablise" method of the Inflector CFC. It will convert any string into a safe underscore-separated list that can be used as a ColdFusion variable name. (Inflector is based on the Ruby on Rails ActiveSupport::Inflector class.)
https://github.com/timblair/coldfusion-inflector
<cffunction name="variablise" access="public" returntype="string" output="no" hint="Converts a string to a variable name, e.g. CamelCase becomes camel_case, 'big CSSDogThing' becomes big_css_dog_thing etc.">
<cfargument name="string" type="string" required="yes" hint="The string to variablise">
<cfset arguments.string = replace(trim(rereplace(arguments.string, "([^[:alnum:]_-]+)", " ", "ALL")), " ", "-", "ALL")>
<cfset arguments.string = rereplace(arguments.string, "([A-Z]+)([A-Z][a-z])", "\1_\2", "ALL")>
<cfset arguments.string = rereplace(arguments.string, "([a-z\d])([A-Z])", "\1_\2", "ALL")>
<cfreturn lcase(replace(arguments.string, "-", "_", "ALL"))>
</cffunction>
If I understand you correctly then this might be what you're looking for:
http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer
EDIT: in PHP:
What's the best method for sanitizing user input with PHP?
EDIT2: didn't see you are using coldfusion, maybe this is it:
Cleansing string / input in Coldfusion 9
Related
Convert Special Characters to HTML - ColdFusion
I need to convert a lot of special characters to their html format and I am trying to do this with a function that is using ReplaceList but something is wrong with the function or the values I am passing to it.
This is the function
<cffunction name="HtmlUnEditFormat" access="public" returntype="string" output="no" displayname="HtmlUnEditFormat" hint="Undo escaped characters">
<cfargument name="str" type="string" required="Yes" />
<cfscript>
var lEntities = "&##xE7;,&##xF4;,&##xE2;,Î,Ç,È,Ó,Ê,&OElig,Â,«,»,À,É,≤,ý,χ,∑,′,ÿ,∼,β,⌈,ñ,ß,„,´,·,–,ς,®,†,⊕,õ,η,⌉,ó,,>,φ,∠,,α,∩,↓,υ,ℑ,³,ρ,é,¹,<,¢,¸,π,⊃,÷,ƒ,¿,ê, ,∅,∀, ,γ,¡,ø,¬,à,ð,ℵ,º,ψ,⊗,δ,ö,°,≅,ª,‹,♣,â,ò,ï,♦,æ,∧,◊,è,¾,&,⊄,ν,“,∈,ç,ˆ,©,á,§,—,ë,κ,∉,⌊,≥,ì,↔,∗,ô,∞,¦,∫,¯,½,¤,≈,λ,⁄,‘,…,œ,£,♥,−,ã,ε,∇,∃,ä,μ,¼, ,≡,•,←,«,‾,∨,€,µ,≠,∪,å,ι,í,⊥,¶,→,»,û,ο,‚,ϑ,∋,∂,”,℘,‰,²,σ,⋅,š,¥,ξ,±,ℜ,þ,〉,ù,√,,∴,↑,×, ,θ,⌋,⊂,⊇,ü,’,ζ,™,î,ϖ,,〈,˜,ú,¨,∝,ϒ,ω,↵,τ,⊆,›,∏,",,♠";
var lEntitiesChars = "ç,ô,â,Î,Ç,È,Ó,Ê,Œ,Â,«,»,À,É,?,ý,?,?,?,Ÿ,?,?,?,ñ,ß,„,´,·,–,?,®,‡,?,õ,?,?,ó,,>,?,?,?,?,?,?,?,?,³,?,é,¹,<,¢,¸,?,?,÷,ƒ,¿,ê,?,?,?,?,?,¡,ø,¬,à,ð,?,º,?,?,?,ö,°,?,ª,‹,?,â,ò,ï,?,æ,?,?,è,¾,&,?,?,“,?,ç,ˆ,©,á,§,—,ë,?,?,?,?,ì,?,?,ô,?,¦,?,¯,½,¤,?,?,?,‘,…,œ,£,?,?,ã,?,?,?,ä,?,¼, ,?,•,?,«,?,?,€,µ,?,?,å,?,í,?,¶,?,»,û,?,‚,?,?,?,”,?,‰,²,?,?,š,¥,?,±,?,þ,?,ù,?,?,?,?,×,?,?,?,?,?,ü,’,?,™,î,?,?,?,˜,ú,¨,?,?,?,?,?,?,›,?,"",?,?";
</cfscript>
<cfreturn ReplaceList(arguments.str, lEntities, lEntitiesChars) />
</cffunction>
This is how I am calling it:
<cfoutput>
<cfloop query="local.q" startrow="2">
#HtmlUnEditFormat(consultServiceType)# <br />
</cfloop>
</cfoutput>
These are the strings I am passing to it:
Security?
Security Guard®
Alarm System©
Private Investigator;
I am not getting any errors back (I had a cftry in the function before) and the strings come back the same
EDIT:
I've tried using #FindNoCase('©',consultServiceType)# and is returning 0 so I guess something is wrong with the string I am passing in?
You're using CF11, did you try EncodeForHTML() ?
The accepted answer is the better approach (don't reinvent the wheel), but your function isn't working because you have lEntities and lEntitiesChars mixed up.
<cffunction name="HtmlUnEditFormat" access="public" returntype="string" output="no" displayname="HtmlUnEditFormat" hint="Undo escaped characters">
<cfargument name="str" type="string" required="Yes" />
<cfscript>
var lEntities = "&##xE7;,&##xF4;,&##xE2;,Î,Ç,È,Ó,Ê,&OElig,Â,«,»,À,É,≤,ý,χ,∑,′,ÿ,∼,β,⌈,ñ,ß,„,´,·,–,ς,®,†,⊕,õ,η,⌉,ó,,>,φ,∠,,α,∩,↓,υ,ℑ,³,ρ,é,¹,<,¢,¸,π,⊃,÷,ƒ,¿,ê, ,∅,∀, ,γ,¡,ø,¬,à,ð,ℵ,º,ψ,⊗,δ,ö,°,≅,ª,‹,♣,â,ò,ï,♦,æ,∧,◊,è,¾,&,⊄,ν,“,∈,ç,ˆ,©,á,§,—,ë,κ,∉,⌊,≥,ì,↔,∗,ô,∞,¦,∫,¯,½,¤,≈,λ,⁄,‘,…,œ,£,♥,−,ã,ε,∇,∃,ä,μ,¼, ,≡,•,←,«,‾,∨,€,µ,≠,∪,å,ι,í,⊥,¶,→,»,û,ο,‚,ϑ,∋,∂,”,℘,‰,²,σ,⋅,š,¥,ξ,±,ℜ,þ,〉,ù,√,,∴,↑,×, ,θ,⌋,⊂,⊇,ü,’,ζ,™,î,ϖ,,〈,˜,ú,¨,∝,ϒ,ω,↵,τ,⊆,›,∏,",,♠";
var lEntitiesChars = "ç,ô,â,Î,Ç,È,Ó,Ê,Œ,Â,«,»,À,É,?,ý,?,?,?,Ÿ,?,?,?,ñ,ß,„,´,·,–,?,®,‡,?,õ,?,?,ó,,>,?,?,?,?,?,?,?,?,³,?,é,¹,<,¢,¸,?,?,÷,ƒ,¿,ê,?,?,?,?,?,¡,ø,¬,à,ð,?,º,?,?,?,ö,°,?,ª,‹,?,â,ò,ï,?,æ,?,?,è,¾,&,?,?,“,?,ç,ˆ,©,á,§,—,ë,?,?,?,?,ì,?,?,ô,?,¦,?,¯,½,¤,?,?,?,‘,…,œ,£,?,?,ã,?,?,?,ä,?,¼, ,?,•,?,«,?,?,€,µ,?,?,å,?,í,?,¶,?,»,û,?,‚,?,?,?,”,?,‰,²,?,?,š,¥,?,±,?,þ,?,ù,?,?,?,?,×,?,?,?,?,?,ü,’,?,™,î,?,?,?,˜,ú,¨,?,?,?,?,?,?,›,?,"",?,?";
</cfscript>
<cfreturn ReplaceList(arguments.str, lEntitiesChars, lEntities) />
</cffunction>
<cfoutput>#htmluneditformat("Company?")#</cfoutput>
Further, #ReplaceList()# in both ACF and Railo/Lucee recurse through the list, which means the order of the lists matter. With the fix I suggest, ? becomes ≤. A fix to this would be to move & and the code for it to the beginning of each list.
Consider this simple piece of code
<cfoutput>#replacelist("abc","a,b","b,c")#</cfoutput>
You would probably expect the output to be "bcc", but that's not how ReplaceList works, it works something more like this
<cfset sx = "abc">
<cfset listf = "a,b">
<cfset listr = "b,c">
<cfloop from="1" to="#listlen(listf)#" index="i">
<cfset sx = replace(sx,listgetat(listf,i),listgetat(listr,i),"ALL")>
<!--- iteration one replaces a with b to make bbc --->
<!--- iteration two replaces b with c to make ccc --->
</cfloop>
I'm not suggesting that someone use this code when CF has the built in functionality, I'm merely explaining why it doesn't work and a pitfall of ReplaceList().
String concatenation issue with Railo4
I'm working on an application built on Railo4 and am running into an interesting issue. I'm not doing anything new here as far as ColdFusion code goes. simply taking some strings, concatenating where needed, and returning a string. <cffunction name="customBuildURL" access="public" returntype="string"> <cfargument name="subsystem" type="string" required="true" /> <cfargument name="section" type="string" required="true" /> <cfargument name="item" type="string" required="true" /> <cfargument name="args" type="string" required="true" /> <cfset var url = "index.cfm?action=" & ARGUMENTS.subsystem & ":" & ARGUMENTS.section /> <cfif Ucase(ARGUMENTS.item) NEQ "DEFAULT" > <cfset url &= "." & ARGUMENTS.item /> </cfif> <cfif ARGUMENTS.args NEQ "" > <cfset url &= ARGUMENTS.args /> </cfif> <cfreturn url /> </cffunction> However, I'm getting two unusual errors. 1) The first is: Can't cast Complex Object Type Struct to String and is being reported for the following two lines: <cfset url &= "." & ARGUMENTS.item /> <cfset url &= ARGUMENTS.args /> 2) The second is the function customBuildURL has an invalid return value , can't cast Object type [url] to a value of type [string] upon return of the url variable. As you can see, I'm not doing anything elaborate here. Just setting some strings, concatenating them and then returning it. I don't see where an 'Object' is being created and being cast as a string. I double checked the use of the &= operator and that doesn't appear to be the issue because if I do a url = url & "." & ARGUMENTS.item the same error is reported. Any ideas?
Sly, Railo does not allow you to use ANY scope as a variable inside functions. This is an intentional incompatibility, since Coldfusion does allow that. But after doing that, you will not be able to access the URL scope anymore. That's why we don't allow that. Just call the variable sUrl for instance. HTH Gert Franz Railo ltd.
Url is a reserved word in ColdFusion, so even though you're var-ing it in the function it's still picking up the actual structure of url variables. Here's a complete list of reserved words in ColdFusion
How can I retrieve a (quasi) Array from a URL string?
I would like to achieve something I can easily do in .net. What I would like to do is pass multiple URL parameters of the same name to build an array of those values. In other words, I would like to take a URL string like so: http://www.example.com/Test.cfc?method=myArrayTest&foo=1&foo=2&foo=3 And build an array from the URL parameter "foo". In .net / C# I can do something like this: [WebMethod] myArrayTest(string[] foo) And that will build a string array from the variable "foo". What I have done so far is something like this: <cffunction name="myArrayTest" access="remote" returntype="string"> <cfargument name="foo" type="string" required="yes"> This would output: 1,2,3 I'm not thrilled with that because it's just a comma separated string and I'm afraid that there may be commas passed in the URL (encoded of course) and then if I try to loop over the commas it may be misinterpreted as a separate param. So, I'm stumped on how to achieve this. Any ideas?? Thanks in advance!!
Edit: Sergii's method is more versatile. But if you are parsing the current url, and do not need to modify the resulting array, another option is using getPageContext() to extract the parameter from the underlying request. Just be aware of the two quirks noted below. <!--- note: duplicate forces the map to be case-INsensitive ---> <cfset params = duplicate(getPageContext().getRequest().getParameterMap())> <cfset quasiArray = []> <cfif structKeyExists(params, "foo")> <!--- note: this is not a *true* CF array ---> <!--- you can do most things with it, but you cannot append data to it ---> <cfset quasiArray = params["foo"]> </cfif> <cfdump var="#quasiArray#">
Well, if you're OK with parsing the URL, following "raw" method may work for you:
<cffunction name="myArrayTest" access="remote" output="false">
<cfset var local = {} />
<!--- parse raw query --->
<cfset local.args = ListToArray(cgi.QUERY_STRING, "&") />
<!--- grab only foo's values --->
<cfset local.foo = [] />
<cfloop array="#local.args#" index="local.a">
<cfif Left(local.a, 3) EQ "foo">
<cfset ArrayAppend(local.foo, ListLast(local.a, "=")) />
</cfif>
</cfloop>
<cfreturn SerializeJSON(local.foo) />
</cffunction>
I've tested it with this query: ?method=myArrayTest&foo=1&foo=2&foo=3,3, looks to work as expected.
Bonus. Railo's top tip: if you format the query as follows, this array will be created automatically in URL scope ?method=myArrayTest&foo[]=1&foo[]=2&foo[]=3,3.
listToArray( arguments.foo ) should give you what you want.
Use coldfusion to get x number of words total including keyword
Okay this is part of my search results project, in it, I have description being returned from multiple tables. All of that part works 100%.
I currently use a trim_text function, which I pass a string, and how many words I want to keep.
However, now I need to modify it to make sure the keyword/search term is in the returning description to help show the validity of that in the search results.
Here below is the existing trim_text function, that I need your help to modify.
<cffunction name="trim_text" output="false" access="remote" returntype="string">
<cfargument name="string" type="string" required="true">
<cfargument name="word_limit" type="integer" required="false">
<cfparam name="word_limit" default=20>
<cfparam name="snippet" default="">
<cfparam name="return_string" default="">
<cfset return_string = "">
<cfset return_string = reReplace( string, "</?\w+(\s*[\w:]+\s*=\s*(""[^""]*""|'[^']*'))*\s*/?>", " ", "all" ) />
<cfset return_string = reReplace( trim( return_string ), "\s+", " ", "all" ) />
<cfset snippet = reMatch( "([^\s]+\s?){1,#word_limit#}", return_string ) />
<cfif !arrayLen( snippet )>
<cfreturn "" />
</cfif>
<cfset charCount = listlen(snippet[1]) />
<cfset wordCount = ( (word_limit * (arrayLen( snippet ) - 1)) + listLen( snippet[ arrayLen( snippet ) ], " " ) ) />
<cfif charCount gt 190>
<cfreturn left(snippet[1],190) & "..." />
</cfif>
<cfset return_string = snippet[1] & "..." />
<cfreturn return_string />
</cffunction>
So my end goal is a description that contains the keyword.
So for example.
Let us say I am searching for the keyword 'business'
And I get the correct search result, however the description doesn't have that word in the description shown, since we are limiting the description to 25 words, via the trim_text function. It makes all the descriptions look similar in size. But doesn't help prove the validity of results where the keyword is further down in the description.
Any questions? I hope I made this very clear.
I am using Coldfusion 8 Standard. I am testing this on my development server.
Thank You...
Sounds like you need to find the position of the keyword in the string, and then take the characters either side. Treat your string as a list, and use whitespace characters and punction as the delimters. Something like this: <cfset wordFoundPos = listFindNoCase(string, searchTerm, " ,.-:;") /> Say that returns 42 - that is, the searchTerm is the 42nd word. Convert that to a character position like so: <cfset charPos = findnocase(1, string, searchTerm) /> Then grab the characters either side of that character: <cfset context = mid(190, charPos-90, string) /> You'll need to detect when the searchterm is found too close to the start or end of the string to avoide errors, and to work out when to append and/or prepend ellipses to the context.
Resolving variables inside a Coldfusion string
My client has a database table of email bodies that get sent at certain times to customers. The text for the emails contains ColdFusion expressions like Dear #firstName# and so on. These emails are HTML - they also contain all sorts of HTML mark-up. What I'd like to do is read that text from the database into a string and then have ColdFusion Evaluate() that string to resolve the variables. When I do that, Evaluate() throws an exception because it doesn't like the HTML markup in there (I also tried filtering the string through HTMLEditFormat() as an intermediate step for grins but it didn't like the entities in there). My predecessor solved this problem by writing the email text out to a file and then cfincluding that. It works. It's seems really hacky though. Is there a more elegant way to handle this using something like Evaluate that I'm not seeing?
What other languages often do that seems to work very well is just have some kind of token within your template that can be easily replaced by a regular expression. So you might have a template like:
Dear {{name}}, Thanks for trying {{product_name}}. Etc...
And then you can simply:
<cfset str = ReplaceNoCase(str, "{{name}}", name, "ALL") />
And when you want to get fancier you could just write a method to wrap this:
<cffunction name="fillInTemplate" access="public" returntype="string" output="false">
<cfargument name="map" type="struct" required="true" />
<cfargument name="template" type="string" required="true" />
<cfset var str = arguments.template />
<cfset var k = "" />
<cfloop list="#StructKeyList(arguments.map)#" index="k">
<cfset str = ReplaceNoCase(str, "{{#k#}}", arguments.map[k], "ALL") />
</cfloop>
<cfreturn str />
</cffunction>
And use it like so:
<cfset map = { name : "John", product : "SpecialWidget" } />
<cfset filledInTemplate = fillInTemplate(map, someTemplate) />
Not sure you need rereplace, you could brute force it with a simple replace if you don't have too many fields to merge How about something like this (not tested) <cfset var BaseTemplate = "... lots of html with embedded tokens"> <cfloop (on whatever)> <cfset LoopTemplate = replace(BaseTemplate, "#firstName#", myvarforFirstName, "All"> <cfset LoopTemplate = replace(LoopTemplate, "#lastName#", myvarforLastName, "All"> <cfset LoopTemplate = replace(LoopTemplate, "#address#", myvarforAddress, "All"> </cfloop> Just treat the html block as a simple string.
CF 7+: You may use regular expression, REReplace()? CF 9: use Virtual File System
If the variable is in a structure from, something like a form post, then you can use "StructFind". It does exactly as you request. I ran into this issue when processing a form with dynamic inputs. Ex. StructFind(FORM, 'WhatYouNeed')