HTMLEditFormat Syntax Issues - XSS - coldfusion

I'm attempting to work on some possible XSS flaws in my code and have ran into some issues.
This code doesn’t work (line 297) - Syntax error:
#iif(HTMLEditFormat (not url.excludeFinalized),de(" disabled"),de("")) )#
This code does work (line 298):
#iif(HTMLEditFormat(url.excludeFinalized),de(" checked"),de("")) )#
This ‘not’ is what's messing me up - How would I properly place HTMLEditFormat into the code above or below?
#iif(not subgroupExercisesDone and nodeIsRollup,de("disabled"),de(""))#
Thanks for any help. I would greatly appreciate it!

I believe you need this change:
#iif((not url.excludeFinalized),de(HTMLEditFormat(" disabled")),de("")) )#
Your original code wraps HTMLEditFormat around a condition. And there's no need to HEF() and empty string, so you still have just one usage of HTMLEditFormat. I don't think you need HTMLEditFormat at all, to be honest.
I think. Didn't test this myself.

You can't put the NOT inside the function call like that.
This is more in line with what you were trying to do.
#iif(NOT HTMLEditFormat(url.excludeFinalized),de(" disabled"),de("")))#
But if HTMLEditFormat(url.excludeFinalized) can't be resolved as a Boolean value, you're going to get a runtime error.

Related

Modx *id isnot =`` and isnot=`` not working

Hi can someone help me with the correct code for this statement because it is not working for me.
[[*id:isnot=`250` and isnot=`252`:then=`[[$qc-wrap]]`]]
A more performant syntax would be:
[[[[*id:isnot=`250`:or:isnot=`252`:then=`$qc-wrap`:else=``]]]]
Note: updated to reflect comment below. Include a hyphen in the else value, as this:
[[[[ ... :else=`-`]]]]
Also note: an empty else condition can be left off entirely.
I think using or rather than and is appropriate here.
This article is great for understanding MODX conditionals:
https://sepiariver.com/modx/modx-output-filters-if-phx-conditional-statements-tutorial/
And this one for understanding the syntax above and why it's more performant:
https://modx.com/blog/2012/09/14/tags-as-the-result-or-how-conditionals-are-like-mosquitoes/
You use wrong syntax, please fix as follows:
[[*id:isnot='250':and:isnot='252':then='[[$qc-wrap]]']]
Don't forget to replace ' with ` within this example
A simpler solution for this question is to use the :inarray output modifier to return an empty string, and use the :default output modifier to customize output for everything that doesn't match 250 or 252:
[[*id:inarray=`250,252`:then=``:default=`[[$qc-wrap]]`]]

TO_PURE_TEXT with cell referencing doesn't filter double quotes against documentation

I want to get a clean number from a string like "123.45". On using of =TO_PURE_TEXT(C10) it doesn't work for me,
against an example from the documentation. An absolute referencing doesn't help.
But, if i use no cell referencing, but direct input, like =TO_PURE_TEXT("123.45") the input is correct, as expected without quotes.
Is it a kind of bug, or do i really do something wrong? How can i get this work with the cell referencing?
all you need is:
=SUBSTITUTE(C10, """", )*1
or:
=REGEXREPLACE(C10, """", )*1
I can't speak to whether it's a bug. Does seem odd, but this should work for now:
=1*SUBSTITUTE(C10,CHAR(34),"")

How to put format code the right way in Python?

I try to learn Python via LPTHW (Learn Python The Hard Way), on the ex05 (its about format code), the code that he give isn't working, I need to use different code to get the same result.
I already tried deleting the parentheses, give space between f and the double quote.
At last I use the % (%s and %d) not the f (f"bla bla {bla}") one
What LPTHW expect is the first code to give the same result as the second one, yet it give me invalid syntax. There's no way the computer wrong right?
So what is the problem? Because when I try to find this problem, no one have the same problem as me.
I'm sure I type it right, because after that I tried to copy the exact code from the page and it still not working.

Is a ValueList() a string?

I am trying to convert the results of a query into an array
this.arLibrary = ValueList(qryLibrary.ID).ListToArray();
And I get the following error
Detail A script statement must end with ";".The CFML compiler was
processing:A script statement beginning with
this.arLibrary on line 43, column 9.A cfscript tag
beginning on line 21, column 2. KnownColumn -1 KnownLine -1
KnownText <unknown> Line 43 Message Invalid construct.
Snippet this.arLibrary =
ValueList(qryLibrary.ID).
StackTrace
This does work
temp = ValueList(qryLibrary.ID);
this.arMetricLibActive = temp.ListToArray();
It makes me wonder if ValueList() is a string
Yes, it's a string. The error is a parsing issue in the CFML engine. The same syntax works fine in Lucee. File a bug like Henry suggested.
Here's an example in the CommandBox REPL
CFSCRIPT-REPL: foo = queryNew('bar')
{
"COLUMNS":[
"BAR"
],
"DATA":[
]
}
CFSCRIPT-REPL: valueList( foo.bar ).listToArray()
[
]
James, it'd be useful if you read error messages when they are presented to you: they generally contain pertinent information. I don't mean this in a "stating the obvious" sort of way, but rather that it's actually a very important part of troubleshooting problems. You are faced with an error message from the compiler, which means the error occurred when the source code was being compiled. However you are asking a question about data types, which - in a loosely and dynamically typed language like CFML - is a runtime consideration. "Runtime" implies "when the code is being run" which is intrinsically after the code is compiled. If the code can't compile: it won't be run.
So the issue is not whether valueList() returns a string or anything like that.
The issue here is that there is a bug in ColdFusion's CFML parser, and it is not able to interpret this expression:
ValueList(qryLibrary.ID).ListToArray()
I don't know why there's a problem with this: there should be no problem with parsing the calling of a method on another function call's return value; and indeed it seems to be a peculiarity of using valueList() like this, as opposed to built-in functions in general.
File a bug.
As for what to do about it in your code in the meantime, I think Dan is right: generally one can use a query column as an array anyhow, provided one uses bracket notation to reference the column, eg: qryLibrary["ID"]. Brad draws attention to this not working on Lucee, but... this is neither here nor there, and just something that Lucee needs to deal with. There was a bug raised for this in Railo - https://issues.jboss.org/browse/RAILO-641 - but they declined to address it, with only semi-valid reasoning.
Epilog:
This works on ColdFusion 2016 and above
<cfscript>
qryLibrary = QueryNew("ID", "varchar");
qryLibrary.addrow({"id" : "cat"});
qryLibrary.addrow({"id" : "dog"});
qryLibrary.addrow({"id" : "fish"});
writedump(qryLibrary);
arLibrary = ValueList(qryLibrary.ID).ListToArray();
writedump(arLibrary);
</cfscript>
https://cffiddle.org/app/file?filepath=6588296c-5e4d-49a4-894b-4986513e9e30/0ecde857-6d28-4e43-88a7-7830c109ab11/84cd7e81-16f8-43d7-b4c9-5490b1b5d007.cfm

Doing loops in vb.net using regexs

I'm writing a super small interpreter in vb.net because i need to execute a simple (invented) language so the app understand it and do what ever it needs to do.
Everything went well until i reached the control structures and the loops.
So my question its, in a code that its executed line by line using a simple for each how can i match the "WHILE ;" AND "ENDWHILE;" and execute the code within it?
The first thing that came to my mind its kind of flag the line of the reader and read the content from that line until find "ENDWHILE;" and the store that to execute late, so keep isolating the code in parts until I've all parts and then execute it.
But i'm not so sure how to code it or if my reasoning its correct.
PD: I'm using regexs.
I'm not sure I 100% understand what you are doing, so if this is way off, I apologize upfront :).
if you do something like this:
Dim m as Match
m=Regex.Match(strYourCode,"(WHILE;)((?!ENDWHILE;)*)(ENDWHILE;)")
Then the code in m.Groups(2) should be just the inner WHILE code. In terms of explanation, the regex looks for WHILE, followed by any characters that are not ENDWHILE zero or more times, followed by ENDWHILE.
Again, sorry if this way off, and I haven't tested the regex so it may need some tweaking.
Good luck!