One of my table is saving an HTML form which contains ColdFusion variables. In my code I am querying this table and need to display this form in the front end. But while displaying I am getting the ColdFusion variable names instead of the values of the variables.
HTML Form saved in the db table:
<form action="" name="ci_entry_form" id="ci_entry_form" method="post">
<table width="100%" height="100%" border="0">
<tr>
<td align="right"><b style="color:red">*</b> <label class="pop_up_letter_font">G/L # :</label></td>
<td> <input class="pop_up_textbox" type="text" name="gl_number_text" id="gl_number_text" maxlength="21" value="#ARGUMENTS.chkDetails.GL_ACCT_NBR#" required/>
<select class="pop_up_dd" name="gl_number_drop" id="gl_number_drop" onChange="enableDisableGL()">
<option value="">---Select---</option>
<option value="new">Enter a new G/L number</option>
<cfoutput query="glNumbers">
<option value="#glNumbers.GL_ACCT_NBR#">#glNumbers.GL_ACCT_NBR#</option>
</cfoutput>
</select>
</td>
</tr>
</table>
</form>
Method (cffunction) contains below code to query this html form from db table and return the html form.
<cfquery name="qry_getTemplate" datasource="#APPLICATION.dsn#">
select FORM_TXT from HTML_FORMS where REQ_ID = 172
</cfquery>
<cfsavecontent variable="form_content">
<cfoutput>#qry_getTemplate.FORM_TXT #</cfoutput>
</cfsavecontent>
But when I dump the cfcontent variable form_content I am getting the HTML Form without processing the coldfusion variables #ARGUMENTS.chkDetails.GL_ACCT_NBR#, #glNumbers.GL_ACCT_NBR#.
Am I missing something? Can any one help me out resolve this?
I'm pretty sure if you searched this site or via Google a bit you could have found the answer to this already posted somewhere, given it comes up all the time (about once every 3-4 months).
You can't output CFML and somehow hope that it will execute.
I've summarised the CFML request / compile / response process on my blog: "The ColdFusion request/response process".
Bottom line: CFML source code needs to be loaded from the file system at compile time not at runtime. So your code needs to be in the file system when you want it to execute, not in the DB or in a variable.
You can write the code to file and then include it, though. This is detailed in that blog article.
Related
I am trying to get some assistance with wkhtmltopdf.
I have downloaded and installed and trying to get it to work correctly with my program.
What I have is a form that lets the user choose print, preview or excel. When the user chooses print I want pop up the html table that is created by a query depending on the associates and locations that are chosen.
Right now when the user chooses print it just shows this table in the browser.
<cfif FORM.Format IS "print">
<!---<cfdocument format="pdf" scale="75" backgroundvisible="yes" overwrite="no" fontembed="yes">--->
<link rel="stylesheet" href="css/form-table.css"/>
<!---<cfdocumentitem type="header" >
<cfoutput><p align= "right">Page #cfdocument.currentpagenumber# of #cfdocument.totalpagecount#</p></cfoutput>
</cfdocumentitem> --->
<div class="RTable">
<h3 class="RTable-h3">CHECKLIST STATS</h3>
<cfoutput>
<ul class="RTable-headingList">
<li>FROM <span class="RTable-headingList-date">#dateFormat(date1, 'mm/dd/yyyy')#</span> TO <span class="RTable-headingList-date">#dateFormat(date2, 'mm/dd/yyyy')#</span></li>
<li>LOCATIONS: <span class="RTable-headingList-locations">#locList#</span></li>
</ul>
</cfoutput>
<table class="table table-hover RTable-table">
<thead>
<tr>
<th>Associate Name</th>
<th>Location</th>
<th><small>Generated by</small>Associate</th>
<th><small>Generated by</small>Selected Location(s)</th>
<th><small>Associate Percentage of</small>Location Total</th>
</tr>
</thead>
<tbody>
<cfoutput query="GetEmployeeInfo">
<tr>
<td class="RTable-name"><cfif rnA EQ 1><strong>#assoc_name#</strong></cfif></td>
<td class="RTable-location"><cfif rnL EQ 1>#trans_location#</cfif></td>
<td>#checklistsByAssocLoc#</td>
<td>#assocChecklistsByLoc#</td>
<td>#DecimalFormat(totalChecklistsByAssocLocPct)# %</td>
<!---<td> rnA: #rnA# | rnL: #rnL# | rnTotAssoc: #rnTotAssoc# </td> --->
</tr>
<cfif rnTotAssoc EQ 1>
<tr class="RTable-row-associate-total">
<td>Associate Total</td>
<td></td>
<td>#totalChecklistsByAssoc#</td>
<td>#totalAssocChecklistsByAllFilteredLoc#</td>
<td>#DecimalFormat(totalChecklistsByLocPct)# %</td>
</tr>
</cfif>
</cfoutput>
</tbody>
</table>
</div>
<!---</cfdocument>--->
I am trying to use it like cfdocument in the <cfif FORM.Format IS "print"> do I cfexecute this table some how in replace of how I have the table? I am using this as reports and dont want to save a million reports to the server. I guess I am looking for some assistance in getting off on the right foot. Any help would be greatly appreciated.
Iv tried adding this code inside the if "print":
<cfexecute name="C:\Program Files\wkhtmltopdf\bin\wkhtmltopdf.exe"
arguments="http://path/path/checklist/wkhtmltestpage.cfm C:\temp\wkhtmlTest.pdf"
errorVariable="errorMessage"
timeout="10"
/>
But this does not download it to show the user to print.
Also for some reason its not going to the link I am specifying its making a pdf of the login page...
When WKHTMLTOPDF requests the webpage, the "user" is not authenticated and the CGI.Http_User_Agent contains "wkhtmltopdf". The remote IP of the request will also be a local IP that is configured on the server. As a result, I don't directly process any CFM scripts using WKHTMLTOPDF.
I recommend:
Use CFContent to capture generated static HTML.
Save the HTML to a public-accessible directory with a random file name.
Use the web path + random file name w/WKHTMLTOPDF command line.
After PDF is generated, delete random files.
This process will make any issues easier to troubleshoot. I prefer creating static BAT files with the same randomized filename so that I can manually re-run on the server or even locally on my on PC to further troubleshoot and view any weird messages returned by the program. There's many other command line settings you'll want to pass (margins, orientation, pagesize, header/footer, JS delay, etc), so creating a standalone BAT file with all of the command line arguments is the best approach. (I noticed in another question that you may be using CFX_Exec. I recommend using it over CFExecute.)
<!--- Simple WKHTMLTOPDF Generation Usage --->
<cfset FileID = CreateUUID()>
<cffile action="WRITE" file="#webroot#\#FileID#.htm" output="#TheHTML#">
<cfexecute name="C:\wkhtmltopdf.exe" arguments="http://mywebsite.com/#FileID#.htm C:\temp\#FileID#.pdf" timeout="30">
<cffile action="DELETE" file="#webroot#\#FileID#.htm">
To deliver the PDF file, you can either perform a 302 redirect to the randomized PDF file and let your webserver handle the mimetype (and then delete it later) or use CFContent to deliver it using a ColdFusion thread and automatically delete it:
<!--- Return PDF to browser inline or as downloadable attachment --->
<!--- <cfheader name="content-disposition" value="attachment; filename=""NiceFilename.pdf"""> --->
<cfheader name="content-disposition" value="inline; filename=""NiceFilename.pdf""">
<cfcontent type="application/pdf" file="C:\temp\#FileID#.pdf" deletefile="Yes">
I have a single checkbox, I want that when I check the checkbox it
should insert 1 else 0 in the database. How can I do that? This was
earlier a radio button field which is getting converted to check box so
already entry in the database is working good, I am posting my database
code as well.
<tr>
<td class="leftFormLabelCell extrasmalltextbold" style="border-
left:1px solid ##9c9c9c;" width="15%">
#mocTrans.Translate("Required template Action Item?")#
</td>
<td>
<input type="checkbox" name="reqtempactionitem" value="0">
</td>
</tr>
Databse code:
<cfif StructKeyExists(URL, "reqtempactionitem") and
IsBoolean(URL.reqtempactionitem)>
, #reqtempactionitem#
<cfelse>
, 0
</cfif>
The way html checkboxes work is that if checked, the browser will submit [checkboxname]=[value] to the webserver. If the box is not checked, the browser does not submit anything at all to the server.
So the easiest solution uses cfparam, which will give the submitted checkbox a default value.
Thus, in your html, you should have:
<input type="checkbox" name="reqtempactionitem" value="1">
(As has been noted in comments, your value was 0 and should be 1.)
Then, in the database code:
<cfparam name="reqtempactionitem" default="0">
...
dbfield = <cfqueryparam cfsqltype="cf_sql_bit" value="#reqtempactionitem#">
Note the use of cfqueryparam, which is strongly recommended in all queries for both performance and security reasons.
I'm a beginner with ColdFusion and I'm just trying out some basic functions.. I tried to loop over a simple query and put the values in a of a element. As value for the element I tried to set the id of each record of the query. After submiting I tried to read the selected value but I only get
You have chosen #getAll.id#
Here is my Code:
index.cfm
<cfquery datasource="testdb" name="getAll">
select *
from Personen
</cfquery>
<cfform action="chosen.cfm" method="post">
<cfselect name="listPersons">
<cfloop query="getAll">
<option value="#getAll.id#"><cfoutput>#getAll.id# #getAll.name# #getAll.vorname# #getAll.gebdate# <BR></cfoutput>
</cfloop>
</cfselect>
<cfinput type="Submit" name="Senden" value="Senden">
</cfform>
chosen.cfm
<cfoutput>You have chosen #listPersons#</cfoutput>
Can you tell me where I've made the mistake?
You didn't put your value attribute in a cfoutput tag, so it's being processed as #getAll.id# as the key in the struct instead of the value from the query. If you update your cfloop to be a cfoutput your issue will be fixed.
A couple pointers - You should scope the variable on chosen.cfm and you don't need to use cfform a regular form works just fine.
<cfquery datasource="testdb" name="getAll">
select *
from Personen
</cfquery>
<form action="chosen.cfm" method="post">
<select name="listPersons">
<cfoutput query="getAll">
<option value="#getAll.id#">#getAll.id# #getAll.name# #getAll.vorname# #getAll.gebdate#</option>
</cfoutput>
</select>
<input type="Submit" name="Senden" value="Senden">
</form>
chosen.cfm
<cfoutput>You have chosen #form.listPersons#</cfoutput>
Your code works for me with my test database but the value of listPersons on Chosen.cfm is not what I think you intended it to be. I would change the code to the following:
<cfquery datasource="testdb" name="getAll">
select *
from Personen
</cfquery>
<cfform action="chosen.cfm" method="post">
<cfselect name="listPersons">
<cfoutput query="getAll">
<option value="#getAll.id#">#getAll.id# #HTMLEditFormat(getAll.name)# #HTMLEditFormat(getAll.vorname)# #getAll.gebdate#
</cfoutput>
</cfselect>
<cfinput type="Submit" name="Senden" value="Senden">
</cfform>
What I did is I changed your CFLOOP to a CFOUTPUT then removed the CFOUTPUT you had. I also added the HTMLEditFormat functions just in case NAME or VORNAME contain some characters that will not play nice with the display. I assumed ID is numeric and GEBDATE is a date so figured no need on those. I also removed the BR element from your OPTION, not that I thought it was causing an issue but I could not see how that would effect the display either so seemed unneeded. I'd personally would close the OPTION but it is not needed to run. If you ultimate code is not running anything that CFFORM offers then I'd not use it and just use an HTML FORM.
Then on Chosen.cfm I would scope the output:
<cfoutput>#Form.listPersons#</cfoutput>
<cfoutput query="getAll">
#id# #name#
</cfoutput>
You don't need to repeat the query name inside of a cfoutput loop, if with cfoutput you specify the query you are looping over.
The following piece of code in my JSP caused a cross site scripting vulnerability on the input tag.
<form name="acctFrm" method="post" action="<%=contextPath%>/form/acctSummary?rpt_nm=FIMM_ACCT_SUMM_RPT">
<table>
<tr>
<td>Account Id:</td>
<td>
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<%=rptBean.getAcctId()%>"/>
<img class="tbl1" src="<%=contextPath%>/img/Submit.gif" border="0" />
</td>
</tr>
</table>
</form>
During Penetration testing they were able to alert some random message to the user by injecting a alert script in the value attribute of the tag as follows
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="1"><script>alert(12345)</script>" />
What is the problem here, and what would be the fix.
I was reading through some online references on XSS still I wasnt 100% sure on what could be the issue.
Any help would be greatly appreciated.
Thanks,
Deena
I have used the following solution,
The scriplet in the value attribute is the problem, I replaced it with jstl tag, I read somewhere that jstl tags have inbuild escaping mechanism to avoid xss issues.
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<c:out value=${rptBean.acctId}"/>"/>
This works good for my issue.
Thanks
It seems the penetration testers were able to manipulate their session such that rptBean.getAcctId() would return an arbitrary string. If they could inject quotes and a right bracket, they could "force close" the input tag and insert their own script tag.
It looks like penetration testers got the method to return the string 1"><script>alert(12345)</script>.
This indicates that you need to escape the data when writing to the page. I would suggest taking a look at the answer on escaping HTML in jsp.
Also, remember that code does not have to be "perfectly" formatted for a browser to render it "correctly". Here are some links on how attackers may try evade XSS filters:
http://blog.whitehatsec.com/tag/filter-evasion/
http://ha.ckers.org/xss.html
Always treat user data as "dangerous" and take care when rendering it on a page.
It seems using jstl tag <c:out value=""> in value attribute will cause errors in jstl <form options> tags,
more info
XSS prevention in JSP/Servlet web application
if getAcctId() returned data come from DB you can filter before sending to client. for example check is data should be a number.
I am trying to make a table with editing capabilities, and I have run into problems trying to associate the old values with the updated ones. My solution was to include a hidden CFInput that passes the old value along side the one to be updated, and then the query is run within a cfc.
<cfform name="update" method="post">
<cfoutput query="allusers">
<tr>
<td>#username#</td>
<td>#email#</td>
<td>#securityID#</td>
<td>DELETE</td>
</tr>
<td><cfinput name="oldUsername" value="#username#" type="hidden"></cfinput><cfinput name="updateUsername" value="New Value"></cfinput></td>
<td><cfinput name="oldEmail" value="#email#" type="hidden"></cfinput><cfinput name="updateEmail" value="New Value"></cfinput></td>
<td><cfinput name="oldSecurityID" value="#securityID#" type="hidden"></cfinput><cfinput name="updateSecurityID" value="New Value"></cfinput></td>
<td><cfinput name="submit" type="submit"></cfinput>
<tr>
<cfdump var="oldUsername">
</cfoutput>
Currently I am not getting any errors, but it does not seem to be passing in the old values. Any tips?
Make sure your CFDUMP is using the hash tags:
<cfdump var="#oldUserName#">
otherwise it won't dump the contents of the variable.
Second of all, you are asking ColdFusion to evaluate "oldusername" when it hasn't had a chance to set oldusername for you yet. Using a CFINPUT tag, simply rewrites this in the HTML to a regular tag with JavaScript and/or Flash enhancements. So form.oldusername will only be available AFTER the post is executed to the next CF template/url. I also recommend highly that you scope (form., variables. etc...) your variables so things don't get crossed (unless you are carefully aware of the variable scope searching order)
Others have provide your answer. My answer is just advice about your form.
Your hidden cfinputs shouldn't be in a table. Tables are for displayed items. You'd be much better served to move your hidden cfinputs right under your cfform tag, like this:
<cfform name="update" method="post">
// NON DISPLAY STUFF
<cfinput name="oldUsername" value="#username#" type="hidden">
<cfinput name="oldEmail" value="#email#" type="hidden">
<cfinput name="oldSecurityID" value="#securityID#" type="hidden">
// DISPLAY STUFF
<table>
</table>
</cfform>