We Keep Coding

Using ColdFusion to consume a webservice

Per recommendations below I now only have the following:
<cfscript>
ws = CreateObject("webservice","http://demo2.mvrs.com/StiConnect/StiConnectWebService.svc?wsdl");
</cfscript>
<cfdump var="#ws#">
And the java error is back:
You've Thrown an Application Error
java.util.NoSuchElementException
Application
Caught an exception, type = Application
The contents of the tag stack are:
array
1
struct
COLUMN 0
ID CF_CFPAGE
LINE 3
RAW_TRACE at cfstTest2ecfm154367281.runPage(D:\Webs\dev\Criminal\Intranet\Web\dev\stTest.cfm:3)
TEMPLATE D:\Webs\dev\Criminal\Intranet\Web\dev\stTest.cfm
TYPE CFML
Below is the follow "Robust" error reporting from the page.
The web site you are accessing has experienced an unexpected error.
Please contact the website administrator.
The following information is meant for the website developer for debugging purposes.
Error Occurred While Processing Request
Invalid construct: Either argument or name is missing.
When using named parameters to a function, each parameter must have a name.
The CFML compiler was processing:
An expression beginning with ws.OrderInteractive, on line 6, column 14.This message is usually caused by a problem in the expressions structure.
A script statement beginning with xlatstring on line 6, column 1.
A cfscript tag beginning on line 3, column 2.
A cfscript tag beginning on line 3, column 2.
The error occurred in /Intranet/Web/dev/stTest.cfm: line 6
4 : ws = CreateObject("webservice",
5 : "http://demo2.mvrs.com/StiConnect/StiConnectWebService.svc?singleWsdl");
6 : xlatstring = ws.OrderInteractive(MVRMODE="MVRUSA", PROCESS="NEWREQ", Cuser="01", Cpass="Abcd.1234", Ccode"K1433", CustomOutPutType="06", OrderState="OH", DPPACode="09", Clicense1="RR653845", cSocial1="286760936", CPOLICY1="TEST_CDLIS");
7 : writeoutput(xlatstring);
8 : </cfscript>
Resources:
Check the ColdFusion documentation to verify that you are using the correct syntax.
Search the Knowledge Base to find a solution to your problem.
Browser Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97 Safari/537.36
Remote Address 172.16.0.224
Referrer
Date/Time 29-Jan-16 01:20 PM
Stack Trace
coldfusion.compiler.CFMLParserBase$MissingNameException: Invalid construct: Either argument or name is missing.
at coldfusion.compiler.cfml40.FunctionParameters(cfml40.java:6265)
at coldfusion.compiler.cfml40.ComplexReference(cfml40.java:6142)
at coldfusion.compiler.cfml40.VariableReference(cfml40.java:6061)
at coldfusion.compiler.cfml40.PrimaryExpression(cfml40.java:5866)
at coldfusion.compiler.cfml40.UnaryExpression(cfml40.java:5716)
at coldfusion.compiler.cfml40.ExponentialExpression(cfml40.java:5673)
at coldfusion.compiler.cfml40.MultiplyDivisionExpression(cfml40.java:5626)
at coldfusion.compiler.cfml40.IntegerDivisionExpression(cfml40.java:5607)
at coldfusion.compiler.cfml40.ModExpression(cfml40.java:5588)
at coldfusion.compiler.cfml40.AdditionExpression(cfml40.java:5541)
at coldfusion.compiler.cfml40.ConcatExpression(cfml40.java:5522)
at coldfusion.compiler.cfml40.ComparisonExpression(cfml40.java:5375)
at coldfusion.compiler.cfml40.NotExpression(cfml40.java:5325)
at coldfusion.compiler.cfml40.AndExpression(cfml40.java:5297)
at coldfusion.compiler.cfml40.OrExpression(cfml40.java:5278)
at coldfusion.compiler.cfml40.XorExpression(cfml40.java:5259)
at coldfusion.compiler.cfml40.EqvExpression(cfml40.java:5240)
at coldfusion.compiler.cfml40.ImpExpression(cfml40.java:5221)
at coldfusion.compiler.cfml40.HookExpression(cfml40.java:5176)
at coldfusion.compiler.cfml40.expr(cfml40.java:5160)
at coldfusion.compiler.cfml40.cfScriptExpression(cfml40.java:2446)
at coldfusion.compiler.cfml40.SimpleStatement(cfml40.java:612)
at coldfusion.compiler.cfml40.cfscriptStatement(cfml40.java:1542)
at coldfusion.compiler.cfml40.cfscript(cfml40.java:1404)
at coldfusion.compiler.cfml40.cfml(cfml40.java:4342)
at coldfusion.compiler.cfml40.cftry(cfml40.java:1147)
at coldfusion.compiler.cfml40.cfml(cfml40.java:4336)
at coldfusion.compiler.cfml40.start(cfml40.java:4768)
at coldfusion.compiler.NeoTranslator.parsePage(NeoTranslator.java:694)
at coldfusion.compiler.NeoTranslator.parsePage(NeoTranslator.java:675)
at coldfusion.compiler.NeoTranslator.parseAndTransform(NeoTranslator.java:428)
at coldfusion.compiler.NeoTranslator.translateJava(NeoTranslator.java:370)
at coldfusion.compiler.NeoTranslator.translateJava(NeoTranslator.java:147)
at coldfusion.runtime.TemplateClassLoader$TemplateCache$1.fetch(TemplateClassLoader.java:436)
at coldfusion.util.LruCache.get(LruCache.java:180)
at coldfusion.runtime.TemplateClassLoader$TemplateCache.fetchSerial(TemplateClassLoader.java:362)
at coldfusion.util.AbstractCache.fetch(AbstractCache.java:58)
at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:133)
at coldfusion.util.SoftCache.get(SoftCache.java:81)
at coldfusion.runtime.TemplateClassLoader.findClass(TemplateClassLoader.java:609)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:83)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
at coldfusion.CfmServlet.service(CfmServlet.java:201)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
at jrun.servlet.FilterChain.service(FilterChain.java:101)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
I have also updated the way I am consuming the webservice using the createobject now (below you can see the way I original tried):
<cfscript>
ws = CreateObject("webservice",
"http://demo2.mvrs.com/StiConnect/StiConnectWebService.svc?singleWsdl");
xlatstring = ws.OrderInteractive(MVRMODE="MVRUSA", PROCESS="NEWREQ", Cuser="01", Cpass="xxx.xxx", Ccode"xxxx", CustomOutPutType="06", OrderState="OH", DPPACode="xx", Clicense1="xxxxxx", cSocial1="xxxxxxxxxx", CPOLICY1="TEST_CDLIS");
writeoutput(xlatstring);
</cfscript>
Below was the old way i was trying to connect and got my first error.
<cftry>
<cfinvoke
webservice="http://demo2.mvrs.com/StiConnect/StiConnectWebService.svc?singleWsdl"
method="OrderInteractive"
returnvariable="OrderInteractiveResponse">
<cfinvokeargument name="MVRMODE" value="xxxxx"/>
<cfinvokeargument name="Cuser" value="xxx"/>
<cfinvokeargument name="Cpass" value="xxxx"/>
<cfinvokeargument name="CustomOutPutType" value="6"/>
<cfinvokeargument name="OrderState" value="GA"/>
<cfinvokeargument name="DPPACode" value="xx"/>
<cfinvokeargument name="Clicense1" value="201099999"/>
</cfinvoke>
<cfoutput>This is the reported data #OrderInteractiveResponse#</cfoutput>
<cfcatch type="application">
<h3>You've Thrown an Application <b>Error</b></h3>
<cfoutput>
<!--- The diagnostic message from ColdFusion. --->
<p>#cfcatch.message#</p>
<p>Caught an exception, type = #CFCATCH.TYPE#</p>
<p>The contents of the tag stack are:</p>
<cfdump var="#cfcatch.tagcontext#">
</cfoutput>
</cfcatch>
...
<cfcatch type="Any">
<!--- Add exception processing code appropriate for all other
exceptions here ... --->
</cfcatch>
</cftry>
You should be able to look at the wsdl file and see all of the methods. Not sure what to try next. Any ideas what this error could mean?

Issue with deleting sheet from excel

Are there any known issues with deleting sheet from an excel? My code does not allow me to delete first sheet, but do so for any other sheet.
<cfspreadsheet action="read" src="courses.xls" name="spreadSheetVar">
<cfset spreadsheetRemoveSheet(spreadsheetVar,"first")>
<cfspreadsheet action="write" filename="courses.xls" name="spreadsheetVar" overwrite="true" >
Courses.xls has two sheets named first & second. If I try to delete "second" it deletes, but while trying deleting "first" it throw error.
environment: coldfusion dev edition 9,0,2,282541
in built IIS, running on window 7 pro
Following is the error it throw
java.lang.IllegalArgumentException: Sheet index (1) is out of range
(0..0) at
org.apache.poi.hssf.usermodel.HSSFWorkbook.validateSheetIndex(HSSFWorkbook.java:413)
at
org.apache.poi.hssf.usermodel.HSSFWorkbook.getSheetName(HSSFWorkbook.java:542)
at coldfusion.excel.Excel.removeSheet(Excel.java:179) at
coldfusion.runtime.CFPage.SpreadSheetRemoveSheet(CFPage.java:6912) at
cftest12ecfm402095173.runPage(C:\ColdFusion9\wwwroot\Test_Apps\test1.cfm:3)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at
coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at
coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at
coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:381)
at
coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
at
coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at
coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:27) at
coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at
coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79)
at
coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at
coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at
coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at
coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at
coldfusion.CfmServlet.service(CfmServlet.java:200) at
coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at
coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at
coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at
jrun.servlet.FilterChain.service(FilterChain.java:101) at
jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at
jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at
jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at
jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.http.WebService.invokeRunnable(WebService.java:172)
at
jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
at
jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at
jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

I know this is not the answer, I was looking for. It is just a workaround, if some is stuck and no way forward. It looks like CF treats first sheet as Active sheet and is not able to delete it.
Making any other sheet as active will allow the first sheet to be deleted.
<cfset SpreadsheetSetActiveSheetNumber(spreadsheetVar, N)>
Where N is anything other than 1.
As I said, until someone who have good hold on java and native POI being used in spreadsheet functions, does not answer this question, this is is the workaround.

How to implement the OWASP ESAPI validator with groups of validation attempts in ColdFusion?

I have been playing around with the OWASP ESAPI utilities that are included with ColdFusion 9. ColdFusion's Builtin Enterprise Security API. The encoder utilities are pretty straight forward and I believe I have them working fine. My problem is with the validator utilities.
I can get them to work singly. That is, if I call the validator.getValidInput() method with "invalid" data it will throw an error that I can catch. However, when I try to call the validator method in batch I get a null pointer exception. By batch I mean attempting to execute groups of validation attempts. This is supposed to work by passing the validator.getValidInput() method a ValidationErrorList parameter which should tell it NOT to throw an error but instead just add the error to the error list. I cannot get it to work in this mode. My best attempt is giving me a null pointer exception.
Here is the specific error:
java.lang.NullPointerException
With this stack trace:
java.lang.NullPointerException at
org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:238) at
sun.reflect.GeneratedMethodAccessor377.invoke(Unknown Source) at
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at
java.lang.reflect.Method.invoke(Unknown Source) at
coldfusion.runtime.StructBean.invoke(StructBean.java:536) at
coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2393) at
cftest2ecfm989071068.runPage(D:\Web\internet\fboc\test.cfm:19) at
coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at
coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at
coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at
cfApplication2ecfc1705903666$funcONREQUEST.runFunction(D:\Web\internet\fboc\Application.cfc:70) at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at
coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405) at
coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at
coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at
coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at
coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491) at
coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337) at
coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88) at
coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:280) at
coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:356) at
coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at
coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at
coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at
coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at
coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79) at
coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at
coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at
coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at
coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at
coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at
coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at
coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126) at
coldfusion.CfmServlet.service(CfmServlet.java:201) at
coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at
jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at
coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at
coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at
jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at
jrun.servlet.FilterChain.service(FilterChain.java:101) at
jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at
jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at
jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at
jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at
jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at
jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at
jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
Here is a simple test script. You will notice that I have one line commented out. That line works without the ErrorList but throws an error (as it should). I am trying to get the method to work without throwing the error:
<cftry>
<cfsilent>
<cfparam name="form.TestField" default="" type="string" />
<cfset Esapi = CreateObject("java", "org.owasp.esapi.ESAPI") />
<cfset EsapiEncoder = Esapi.encoder() />
<cfset EsapiValidator = Esapi.validator() />
<cfset Clean = StructNew() />
<cfset Clean.Css = EsapiEncoder.encodeForCss(form.TestField) />
<cfset Clean.Html = EsapiEncoder.encodeForHtml(form.TestField) />
<cfset Clean.HtmlAttribute = EsapiEncoder.encodeForHtmlAttribute(form.TestField) />
<cfset Clean.JavaScript = EsapiEncoder.encodeForJavaScript(form.TestField) />
<cfset Clean.Url = EsapiEncoder.encodeForUrl(form.TestField) />
<cfset Clean.Xml = EsapiEncoder.encodeForXml(form.TestField) />
<cfset ErrorList = CreateObject("java", "org.owasp.esapi.ValidationErrorList") />
<cfset Valid = StructNew() />
<cfset Valid.Input = EsapiValidator.getValidInput("Test Field", form.TestField, "SafeString", 128, false, true, ErrorList) />
<!---<cfset Valid.Input = EsapiValidator.getValidInput("Test Field", form.TestField, "SafeString", 128, false, true) />--->
</cfsilent>
<!DOCTYPE HTML>
<head>
<meta charset='UTF-8' />
<title>ESAPI Test</title>
</head>
<body>
<div>
<h3>ESAPI Test</h3>
<cfoutput>
<form name="frmtest" id="frmtest" action="#cgi.script_name#" method="post">
<p>Enter text to test:</p>
<p><input type="text" name="TestField" id="TestField" size="64" maxlength="128" value="#Clean.HtmlAttribute#" /></p>
<p><input type="submit" name="submit" id="submit" value=" Submit " /></p>
</form>
</cfoutput>
<hr />
<cfdump var="#Clean#" label="Clean Structure" />
<hr />
<cfdump var="#Valid#" label="Valid Structure" />
</div>
</body>
</html>
<cfcatch type="any">
<hr />
<div>
<h3>ERROR</h3>
<cfdump var="#cfcatch#" label="Error" />
</div>
</cfcatch>
</cftry>
When I run this script with "valid" data it works fine (no errors thrown). If I enter an "invalid" character then I get the null pointer exception.
Example of "valid" data: this is a safe string 0123456789
Example of "invalid" data: this is a safe string 0123456789- (notice the hyphen at the end)
Here is a link to the documentation for the validator.getValidInput method that I am trying to implement.
Here is a link to the documentation that shows what I am trying to implement.
For what it's worth, the validation "rules" are defined in the validation.properties file that comes with ColdFusion. That file is located in the {cfusion lib} directory. Here are the contents of that file from my server:
# The ESAPI validator does many security checks on input, such as canonicalization
# and whitelist validation. Note that all of these validation rules are applied *after*
# canonicalization. Double-encoded characters (even with different encodings involved,
# are never allowed.
#
# To use:
#
# First set up a pattern below. You can choose any name you want, prefixed by the word
# "Validation." For example:
# Validation.Email=^[A-Za-z0-9._%-]+#[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
#
# Then you can validate in your code against the pattern like this:
# ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull);
# Where maxLength and allowNull are set for you needs, respectively.
#
# But note, when you use boolean variants of validation functions, you lose critical
# canonicalization. It is preferable to use the "get" methods (which throw exceptions) and
# and use the returned user input which is in canonical form. Consider the following:
#
# try {
# someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull));
#
Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$
Validator.Email=^[A-Za-z0-9._%-]+#[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$
Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$
Validator.CFContainerID=^[\\p{Alnum}_\\-\\.:]+$
Validator.GOOGLEMAPAPI=^[\\p{Alnum}_\\+=\\/\\-]+$
Validator.CFFORMSCRIPTSRC=^[^\\*\\?\"'<>|%]*$
I presume that the idea is to add rules to this file for your own applications.
Has anyone gotten the validator.getValidInput() method to work in batch (groups of validation attempts)?
Update 1
I noticed that the following is being written to my cfusion-out.log on the server every time I get the null pointer exception. It leads me to believe that it is working to a point but then gets a null pointer while attempting to assign the validation exception:
06/25 16:08:14 [jrpp-3225] WARN [SECURITY FAILURE Anonymous:null#unknown -> /IntrusionDetector] Invalid input: context=Test Field, type(SafeString)=^[.\p{Alnum}\p{Space}]{0,1024}$, input=this is a safe string 0123456789-
org.owasp.esapi.errors.ValidationException: Test Field: Invalid input. Please conform to regex ^[.\p{Alnum}\p{Space}]{0,1024}$ with a maximum length of 128
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
at org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:199)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:236)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at coldfusion.runtime.StructBean.invoke(StructBean.java:508)
at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2393)
at cftest2ecfm989071068.runPage(D:\Web\internet\fboc\test.cfm:19)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416)
at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722)
at cfApplication2ecfc1705903666$funcONREQUEST.runFunction(D:\Web\internet\fboc\Application.cfc:70)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472)
at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405)
at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368)
at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55)
at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220)
at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491)
at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337)
at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88)
at coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:280)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:356)
at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:94)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:126)
at coldfusion.CfmServlet.service(CfmServlet.java:201)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
at jrun.servlet.FilterChain.service(FilterChain.java:101)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
Update 2
I have been digging through Damon Miller's implementation of the OWASP ESAPI methods for ColdFusion. I noticed in his code that he does not call the getValidInput() method with the ValidationErrorList attribute. Rather he wrote the code to catch the generated error and then add the error to the list himself. Hmmm? I thought the method was supposed to do that for you????
As an aside, I am trying not to use a library such as his to avoid the additional bloat that I do not need.
Excerpt from his code:
if(structKeyExists( arguments, "errorList" )) {
try {
return getValidInput( arguments.context, arguments.input, arguments.type, arguments.maxLength, arguments.allowNull );
}
catch(esapi4cf.org.owasp.esapi.errors.ValidationException e) {
arguments.errorList.addError( arguments.context, e );
}
return arguments.input;
}
else {
...

This looks to be a bug in the Coldfusion implementation of ESAPI - we have full coverage testing of the getValidInput method in your unit test suite for ESAPI that demonstrate that the method works as advertised.
Based off of your second update above I would guess that in the CF implementation code there is an uninitialized variable being accessed (perhaps errorList is uninitialized in this context)
I am the project leader of the OWASP ESAPI project and very familiar with this bit of code in ESAPI itself but am not a CF developer and have not seen all of the implementation code for CF9.
** Edit **
In order to make the validation methods work in batch using ColdFusion a call to the init() method is required for the org.owasp.esapi.ValidationErrorList class before calling the validator methods. Add the following line to the test script and it will work:
<cfset ErrorList = ErrorList.init() />
In context:
<cfset ErrorList = CreateObject("java", "org.owasp.esapi.ValidationErrorList") />
<cfset ErrorList = ErrorList.init() />
<cfset Valid.TestField = EsapiValidator.getValidInput("Test Field", form.TestField, "SafeString", 128, true, true, ErrorList) />
Now when invalid input is entered the error will be added to the ErrorList variable instead of throwing an error.

Markdown processing in Coldfusion 9 with tables extension support

I'm attempting to get Markdown with the tables extension working on Coldfusion 9. There are a few other similar questions regarding CF and Markdown here on stackoverflow but none of them deal with extensions.
So far I have tried;
markdownj via javaloader.cfc
pegdown via javaloader.cfc
showdownjs via orangepips nice cfc
(I would link all these but don't have the rep for more than 2)
All of which work fine for basic Markdown but none of which have tables support out of the box.
Both pegdown and showdown.js support the tables extension. Markdownj however doesn't look to support it at present but I thought it worth a try.
I think that my problem is in getting the syntax correct for loading the extension in either pegdown or showdown. Both work quite differently, one being pure Java and the other being interpreted Javascript.
For pegdown
My code here is very simple and just uses javaloader to load both pegdown and it's required parboiled library. This part appears works fine with no errors but when I try to use the pegdown class I get a fairly generic error;
An exception occurred while instantiating a Java object. The class must not be an interface or an abstract class. Error: ''.
The code for calling pegdown;
<cfscript>
jClass = [
"#getDirectoryFromPath(getCurrentTemplatePath())#/pegdown/pegdown-1.2.1.jar"
, "#getDirectoryFromPath(getCurrentTemplatePath())#/pegdown/parboiled-core-1.1.3.jar"
];
javaloader = createObject('component','components.javaloader.JavaLoader').init(jClass, true);
variables.pegdown = javaloader.create("org.pegdown.PegDownProcessor");
</cfscript>
<cfdump var="#variables.pegdown#" />
For showdownjs:
I've tried adding the extension file (extensions/table.js) to the var for evaluation and adding the extensions var to the converter options as per the documentation but it doesn't work. I'm guessing that showdown.js isn't expecting to be running inside the underlying Java scriptEngineManager as the main showdown.js script can't "see" the tables extension, failing at line 246 with;
The script had an error: sun.org.mozilla.javascript.internal.JavaScriptException: Extension 'undefined' could not be loaded. It was either not found or is not a valid extension. (#246) in at line number 246
My code for showdown.js is based on Orangepips answer in the linked question above.
<cfcomponent output="false" accessors="true">
<cffunction name="init" output="false" access="public" returntype="Showdown" hint="Constructor">
<cfset variables.manager = createObject("java", "javax.script.ScriptEngineManager").init()>
<cfset variables.engine = manager.getEngineByName("javascript")>
<cfreturn this/>
</cffunction>
<cffunction name="toHTML" output="false" access="public" returntype="any" hint="">
<cfargument name="markdownText" type="string" required="true"/>
<cfset var local = structNew()/>
<cfset var bindings = variables.engine.createBindings()>
<cfset var result = "">
<cfset var showdownJS = "" />
<cftry>
<cfset bindings.put("markdownText", arguments.markdownText)>
<cfset variables.engine.setBindings(bindings, createObject("java", "javax.script.ScriptContext").ENGINE_SCOPE)>
<cfset showdownJS &= fileRead('#getDirectoryFromPath(getCurrentTemplatePath())#/showdown.js')>
<cfset showdownJS &= fileRead('#getDirectoryFromPath(getCurrentTemplatePath())#/extensions/table.js')>
<cfset showdownJS &= showdownAdapterJS()>
<cfset result = engine.eval(showdownJS)>
<cfcatch type="javax.script.ScriptException">
<cfset result = "The script had an error: " & cfcatch.Message>
</cfcatch>
</cftry>
<cfreturn result>
</cffunction>
<cffunction name="showdownAdapterJS" output="false" access="private" returntype="string" hint="">
<cfset var local = structNew()/>
<cfsavecontent variable="local.javascript">
<cfoutput>#chr(13)##chr(10)#
var __converter = new Showdown.converter({extensions:['table']});
__converter.makeHtml(markdownText);</cfoutput>
</cfsavecontent>
<cfreturn local.javascript>
</cffunction>
</cfcomponent>
I'm open to any ideas and don't have any particular preference for one solution over another.
stacktrace
java.lang.ClassNotFoundException: org.parboiled.BaseParser at
coldfusion.bootstrap.BootstrapClassLoader.loadClass(BootstrapClassLoader.java:235) at
java.lang.ClassLoader.loadClass(Unknown Source) at
com.compoundtheory.classloader.NetworkClassLoader.loadClass(NetworkClassLoader.java:463) at
java.lang.ClassLoader.loadClass(Unknown Source) at
java.lang.ClassLoader.loadClassInternal(Unknown Source) at
java.lang.ClassLoader.defineClass1(Native Method) at
java.lang.ClassLoader.defineClass(Unknown Source) at
java.lang.ClassLoader.defineClass(Unknown Source) at
com.compoundtheory.classloader.NetworkClassLoader.loadClass(NetworkClassLoader.java:450) at
java.lang.ClassLoader.loadClass(Unknown Source) at
java.lang.ClassLoader.loadClassInternal(Unknown Source) at
java.lang.Class.getDeclaredFields0(Native Method) at
java.lang.Class.privateGetDeclaredFields(Unknown Source) at
java.lang.Class.privateGetPublicFields(Unknown Source) at
java.lang.Class.getFields(Unknown Source) at
coldfusion.runtime.java.ObjectHandler.Initialize(ObjectHandler.java:35) at
coldfusion.runtime.java.ObjectHandler.<init>(ObjectHandler.java:30) at
coldfusion.runtime.java.ReflectionCache$1.fetch(ReflectionCache.java:29) at
coldfusion.util.SoftCache.get_statsOff(SoftCache.java:133) at
coldfusion.util.SoftCache.get(SoftCache.java:81) at
coldfusion.runtime.java.ReflectionCache.get(ReflectionCache.java:36) at
coldfusion.runtime.java.JavaProxy.<init>(JavaProxy.java:35) at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at
sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at
java.lang.reflect.Constructor.newInstance(Unknown Source) at
coldfusion.runtime.java.JavaProxy.CreateObject(JavaProxy.java:166) at
coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:80) at
coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2360) at
cfJavaLoader2ecfc535209679$funcCREATEJAVAPROXY.runFunction(/srv/vhosts/myproject/httpdocs/components/javaloader/JavaLoader.cfc:329) at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at
coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47) at
coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405) at
coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at
coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at
coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at
coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:2582) at
cfJavaLoader2ecfc535209679$funcCREATE.runFunction(/srv/vhosts/myproject/httpdocs/components/javaloader/JavaLoader.cfc:87) at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at
coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47) at
coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405) at
coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at
coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at
coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at
coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491) at
coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337) at
coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2360) at
cfpegdown2ecfm1473046932.runPage(/srv/vhosts/myproject/httpdocs/_temp/markdown/pegdown.cfm:22) at
coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at
coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at
coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at
cfApplication2ecfc294205112$funcONREQUEST.runFunction(/srv/vhosts/myproject/httpdocs/Application.cfc:377) at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at
coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:405) at
coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at
coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at
coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at
coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at
coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:491) at
coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:337) at
coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88) at
coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:280) at
coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:356) at
coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at
coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at
coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at
coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at
coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:79) at
coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at
coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at
coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at
coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at
coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at
coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at
coldfusion.CfmServlet.service(CfmServlet.java:200) at
coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at
jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at
com.intergral.fusionreactor.filter.FusionReactorCoreFilter.doRequestNoFilter(FusionReactorCoreFilter.java:712) at
com.intergral.fusionreactor.filter.FusionReactorCoreFilter.doFusionRequest(FusionReactorCoreFilter.java:341) at
com.intergral.fusionreactor.filter.FusionReactorCoreFilter.doFilter(FusionReactorCoreFilter.java:246) at
com.intergral.fusionreactor.filter.FusionReactorFilter.doFilter(FusionReactorFilter.java:121) at
jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at
coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at
coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at
jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at
jrun.servlet.FilterChain.service(FilterChain.java:101) at
jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at
jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at
jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at
jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at
jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at
jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at
jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
Update
This is now working thanks to barnyr.
The problem stems from my lack of understanding of Java and the some additional dependancies for PegDown and Parboiled.
Parboiled needs both the java and core .jars of Pegdown.
Pegdown expects to find the ASM library
I used version 4.1 and included the -all- version. The recommendation is to only include the necessary asm jars but for now this is enough for me to take this further.
Working code for CF9 (Running on JRUN/Linux)
<!--- Load some demo markdown content --->
<cfset markdownString = fileRead("#getDirectoryFromPath(getCurrentTemplatePath())#/demo.txt")>
<!--- Directory containing all the necessary jar files. --->
<cfset jarDir = "#getDirectoryFromPath(getCurrentTemplatePath())#pegdown" />
<!--- Array of necessary classes --->
<cfset jClass = [
"#jarDir#/parboiled-java-1.1.3.jar"
, "#jarDir#/asm-all-4.1.jar"
, "#jarDir#/parboiled-core-1.1.3.jar"
, "#jarDir#/pegdown-1.2.1.jar"
] />
<cfset javaloader = createObject('component','components.javaloader.JavaLoader').init(jClass, false) />
<!--- Hex values for different extensions can be found in org.pegdown.Extensions.java (0x20 is for tables support) --->
<cfset variables.pegdown = javaloader.create("org.pegdown.PegDownProcessor").init(javaCast("int", InputBaseN("0x20", 16))) />
<!--- Output the HTML conversion --->
<cfoutput>#variables.pegdown.markdownToHtml(markdownString)#</cfoutput>

You're getting the error because of the way that PegDown's dependency - parboiled is distributed.
It's a scala project and it produces more than one JAR. The parboiled core jar you have appears to have just the core algorithms and the Scala language API.
To use the Java API, you'll also need to get hold of the parboiled-java library which provides the bindings (including the BaseParser class mentioned in the exception above). The GitHub repo only has the 1.1.4 files, but there's a copy of the 1.1.3 jar here: http://mirrors.ibiblio.org/maven2/org/parboiled/parboiled-java/1.1.3/parboiled-java-1.1.3.jar
If you download that and add it to the array of jar files you're handing to JavaLoader you should be OK.

cffeed causing errors

Our web admins applied some hotfixes (don't know which ones) over the weekend and it seems to have killed <cffeed>. The error we get is below. We have the <cffeed> tag inside of a <cftry> but it still produces the error. Any thoughts on what would be causing the error or or how to circumvent without rewriting all our code?
ROOT CAUSE:
java.lang.NoClassDefFoundError: Could not initialize class coldfusion.syndication.FeedDateParser
at coldfusion.tagext.io.FeedTag.<init>(FeedTag.java:64)
at sun.reflect.GeneratedConstructorAccessor555.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at coldfusion.runtime.NeoPageContext$TagSet.getTagHandlerInstance(NeoPageContext.java:2284)
at coldfusion.runtime.NeoPageContext.getTagHandlerInstance(NeoPageContext.java:2192)
at coldfusion.runtime.CfJspPage._initTag(CfJspPage.java:1789)
at cfindex2ecfm2002820310.runPage(D:\WEB\ROOT\itap\index.cfm:156)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:196)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:483)
at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:288)
at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:86)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:74)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.CfmServlet.service(CfmServlet.java:198)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
at jrun.servlet.FilterChain.service(FilterChain.java:101)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

It looks like this is a sandbox issue. We have security sandboxing turned on. When the hot fixes were put into place, the path to /WEB-INF/cfusion/lib/ needed to be added to the sandbox. So far the only thing we have found that this affects is cffeed. Also, ColdFusion had to be restarted when the changes were made.