I was reading Ben Nadel's post about the isnull function and my initial thought was "wait: there's an isnull function in ColdFusion? I didn't know that! I wonder if there's one in Railo?" So I typed:
railo isnull
into google and this was the first link. In fact, a lot of my Railo searches have been to similar pages, so apparently this is something that I'm supposed to be able to read and understand. Here's my question:
Q: How do you read the Railo documentation?
I'm used to seeing words written out in sentence format like Ben's post. I mean: I can see that a lot of work went into this page, so I should try to squeeze some kind of meaning out of it... When I see for example:
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Does that mean anything to an applications programmer like myself, or is that a kind of internal documentation? I followed the link to the actual source code, but that's almost too much information.
Maybe I've identified a need.
You read the Railo Javadoc API the same way you read any Javadoc API.
(Though as you note this is more internal documentation and most CFML developers wont need to.)
If you want Railo's CFML documentation for isNull, you visit railodocs.org/isNull instead.
I don't know why Google isn't capable of finding the correct pages. :/
For the benefit of Google I'll also throw in these other links to the isNull documentation: http://railodocs.org/function/isnull?version=current and http://railodocs.org/index.cfm/function/isnull/version/current - they all display the same content (which may be a factor in why they're not ranked properly), so if someone reminds me later I'll bug Mark about getting the URLs canonicalised.
Railo does have isNull()
It works on variables that are not strings
It works on strings
In my experience, Railo 4.2 more or less supports CFML at the same level as ColdFusion 10. It is always useful to test. I agree that as of early 2014, Railo's documentation is lacking a certain clarity.
Related
We operate a ColdFusion site with a custom CSS acting as a directory of various companies. Depending on the type of company, we have a set of subpages containing specific information pulled from the CMS about the company, such as "location/directions". We're looking to add functionality enabling users to add comments to the existing content. I'm looking for suggestions on open source or other available ColdFusion software out there that could work for this. While we could write something custom, commenting tools have been done a thousand times and probably better than we can do it.
While what we're looking for sounds like a blog or forum, its more of a hybrid. We'd like to be able to add functionality enabling commenting on the content we post in the context we post it in. Seems like there must be something out there that can be easily modified and integrated with our CMS.
Does anyone know of anything out there we should look into?
I'm going to vote to close this too, as per the others, but here's an answer anyway.
If you just want to add commenting to existing content, perhaps use Disqus. It's not locally installable (and is not CFML-based; it's all JS), but it does handle most things one would need if just wanting to add comments to a site.
If you want a native, self-managed solution, unfortunately StackOverflow have deemed that sort of question "unworthy", so you'll need to ask elsewhere. Despite being an entirely reasonable question, for which the answers would be helpful to other people later on (which is - in theory - the raison d'etre of Stack Overflow. Although that's hard to tell, sometimes).
Do any tools exists that will scan ColdFusion source code and locate XSS vulnerabilities?
Say for example a programmer wrote something like this:
<cfoutput> This is a #url.cat#. </cfoutput>
The tool would need to locate un-sanitized code.
Update:
While all of the answers and feedback so far are accurate, none point to a tool which can be run against the source code directly.
I personally know how to write code which is xxs safe. Also I can manually find, detect and correct XXS vulnerabilities. I am looking for something automated which can scan thousands of .cfm and .cfc to automate the processes.
Probably the correct answer is that such a tool does not exists. There are companies such as VeriCode which offer a service do such things. They have an automated process which in my opinion does a horrible job because of it's inability to follow code logic.
Anyway, I'll give all +1s and at this point leave the question unanswered.
Update 2: Someone did answer that I would not find a tool, so I will mark this as accepted.
Not specific to XSS but Pete Freitag has a tool that will scan your ColdFusion server for vulnerabilities. The site is Hack My CF. I believe there is a free scan option and they also offer monthly subscription options. I think the tool includes some XSS checks as well.
If you're using ColdFusion 10, you should read this article: http://www.isummation.com/blog/day-2-avoid-cross-site-scripting-xss-using-coldfusion-10-part-1/
I don't think you'll find a tool that checks your actual code, XSS tools out there focus on the form inputs, etc. You might be able to write a script parser yourself that looks for <cfoutput> tags in your ColdFusion file and then looks to see if any of the tags mentioned are present, but trying to define a set of rules for when variables should or should not be wrapped by XSS preventing functions would be almost impossible. You really need to look at each variable and its context.
There are some things you can do in ColdFusion to prevent XSS attacks though as mentioned in the article above and this one: http://www.mindfiresolutions.com/Prevent-crosssite-scripting-attacks-in-ColdFusion-1341.php
Although not ColdFusion-specific, there are several plugins for Fiddler which can detect or hint at where XSS flaws may exist. I've tried out watcher before and found it gave me some useful pointers.
This semi-new tool, security analyzer, for the ColdFusion Builder sounds promising: http://www.adobe.com/devnet/coldfusion/articles/security-analyzer.html.
And VERACODEs scanning is much better nowadays: http://www.veracode.com/
I've been using ColdFusion 9 along with the ColdFusion on Wheels Framework for about 6 months now. I still consider myself a beginner, but I am comfortable doing most things I need to.
I recently started writing full CF Script components, and I'm loving the cleanliness of the syntax. I am disappointed to lose some of the simplicity afforded by CFQuery, CFLoop, and so on... but I can live without this for now.
Recently, a few people have mentioned that Railo has better CFScript support. I'm considering switching for that reason.
What things should I keep in mind, and how do the two platforms stack against one another in terms of functionality and ease of use?
Here are the things you need to look for as far as differences between Railo and ColdFusion. This page lists all of the things that Adobe CF has that Railo doesn't, and vice versa:
http://www.getrailo.org/index.cfm/documentation/compatibility/cfml-compatibility/
Mel,
well the easiest way to try it out is to create a mapping called "/" that points to "/" and then compile this mapping from the admin. That should give you a good result on how compatible your code is in terms of compilation.
And a good thing to consider. If you are really happy with CF9, stick with it. You never change a winning team. I am of course proud of Railo and convinced it is the best CFML engine. But I am biased and you should only consider a switch if it is really necessary for different reasons. Costs, performance, memory footprint. But again, if your system runs very well on CF9, just save the money and do something else with it.
Gert Franz
Railo Technologies GmbH
Be careful making decisions based on anecdotes! ColdFusion 9.0.1 brought even more support for cfscript:
Support for the following:
for-in construct (for arrays) in CFScript
var declaration within for loop in CFScript
Function argument metadata
Function equivalents for cfile action="upload" (FileUpload) and cffile action="uploadall" (FileUploadAll)
The following script functions have been implemented as CFCs:
dbinfo
imap
pop
ldap
feed
From:
http://kb2.adobe.com/cps/847/cpsid_84725.html
If you are doing much work with PDF generation (CFdocument) or charting (cfchart), you'll want to try these out in Railo and see how they compare to what you are currently getting with Adobe CF. When I tested charting in Railo I found the Adobe CF engine to produce much nicer looking graphs. I think the PDF engine is better in Adobe CF also.
I think I just realized how restrictive my web host is when they wouldn't let me use cfdump. This actually kind of angers me, cause really, what harm is dump going to do? Anyway my question is has anyone written a cfdump alternative that will kick out complex types of data or can link me to a site with a code example? Can't really used cfc's or udfs either cause guess what, they're blocked too. Anyway looking for something simple that I can just paste in my cfml and I will be happy. It's sad that I used to be able to do this, but have forgotten a lot of that skillset since I moved into Flex and AS.
oh and they're using cf7, so no cf8 or 9 tricks ;-)
Thanks in advance.
You probably don't want to hear "Change to another hosting company" but if they're that restrictive, you're really limited in what you can do. I've actually never heard of a host that blocks cfdump although I know of a few that still, stupidly, block createObject().
Depending on exactly what they've blocked, you may be able to copy WEB-INF/cftags/dump.cfm from your local ColdFusion installation to a folder inside your application and then invoke it with cfmodule:
<cfmodule template="dump.cfm" var="#something#"/>
#Sean Corfield is right -- switch hosts.
In the meantime, there was a custom tag called "cf_dump" from the era of CF4. I have no idea if it will work on 7, but you could always try to get it working.
cf_dump at Adobe
In case anyone else comes across this old thread as I have just done, do not blindly following to the advice of "change your host", as this is very poor advice. make the effort to speak with your host before jumping to conclusions.
The host have likely not blocked cfdump they have blocked Java, which is a good thing as this means they take security seriously. CFdump uses java, thus why it does not work.
Allowing Java in CF is a very serious security issue as it completely bypasses all security sandboxes and without giving too much away basically means that any other customer on the same server could hack your site and steal your data as well as hacking/crashing ColdFusion itself.
Unfortunately blocking java does disable quite a lot of useful features and breaks most frameworks, so it is a toss up between functionality or security, so bear this in mind before you decide to go and find a host that enables everything and has no security.
At the end of the day if you want access to all of ColdFusion's functionality then you need your own server or VPS.
I've actually been looking for this for some time and today I actually stumbled across the solution. Unfortunately, I didn't come up with this. Thanks and credit goes to John Whish.
http://www.aliaspooryorik.com/blog/index.cfm/e/posts.details/post/using-onerror-method-of-application-cfc-47
Basically he's figured out most of the CFDump data can be called in the Application.cfc onError function.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
What features should "Tomorrow's" wikis include? How might they incorporate Web 2.0 features like AJAX? What other features are they currently missing? What do you want to see from the next release of your favorite Wiki?
Edit: How might a Wiki be integrated into other products? What "neat uses" could wikis have?
Preview-as-you-type works very nicely indeed here on Stack Overflow. Many wikis don't do that.
Make it really easy to link between pages, eg. that, as you type, the wiki finds likely pages you may be referring to. That way you can make links without having to know the exact title of a target page, and bouncing on the shift key to WriteInCamelCase, or throwing in square brackets. Make it very easy to link to other websites outside the wiki, too (and by "easy" I do not mean like wikisisters, which, if I remember correctly, is like foowiki:ALinkLikeThis).
Similarly, if you can generate links within text automatically, you could, for example, have a mail system that wikifies your email. You create a wiki page, say, for Joel Spolsky, and references to Joel emails in your inbox become links to that page, which you can find by clicking "what links here". (This probably needs something along the lines of Bayesian filtering to prune the stray references to other Joels... your Bayesian Classifier learns that if the context is smart and getting things done, it's Spolsky. If it's flying Viking kittens, it's morely likely Joel Veich).
A variety of RSS feeds for tracking changes would nice, too. (Diffs, full text, changes on pages I've edited, ...)
Wikipedia has grown a fairly colossal categorisation system ("Fictional Cats", anyone?); laying a taxonomy over a wiki's flat namespace could provide another way for users to find their way around. Wikipedia's doing this a little, but in fairly limited ways so far: there are links to the relevant category lists, but you can't, for example, look for a composer called "Smith".
Similarly, wikis give you this big graph of interconnected nodes, of how closely your community sees the relevant concepts as being. Is that interesting? Is that useful? Does anyone who isn't google want to think about this stuff?
PS. If you believe Paul Graham's definition of Web 2.0 as "Democracy, Don't Maltreat Users, and Javascript works now", wikis are two thirds Web 2.0 already.
I am personally already tired of wikis. Wiki as a software is outdated, now it is about wiki as a feature (like my favorite new website, stack overflow).
The main advantage of community wiki — more editing — came into existence when we introduced "Suggested Edits".
With "Suggested Edits", anyone, even an anonymous user, can edit anything — so long as another experienced user reviews and approves their edit.
I'm in the process of choosing a wiki tool, and have looked at numerous packages over the past week. I'm sure there are dozens I haven't even heard of yet, probably good ones. But in general, here's my "beginner's mind" take on the problem.
Wiki markup should be abandoned. A wiki that is limited to wiki markup will only be useful to 'nix hacks and others who get excited about doing things the hard way and insisting that everybody else is stupid. I mean, Morse code is fine with me personally; I don't get what was wrong with a nice, clean dash-dot-dash. Or smoke signals, they were nice, except for the carbon footprint. But times change, and we have to change with them.
Real users (business users, customers, clients) want rich text editing. Period. And when a wiki tries to support both rich text and wiki markup, the results are not pretty. The model is confusing and (apparently) difficult to implement. The fckeditor extension at wikiwiki is a nightmare, for example. It's just not worth it.
Wikis need better access control. The idea that all content should be open to everyone is fine for an open, public, non-profit wiki like this one. But in the business world, that's not how it works. Restricting access is not evil, it's reality. Wiki tools need to do a much better job of providing access control: access to pages and groups of pages based on role or group membership, where groups can be formed by anyone on an ad hoc basis and users can belong to multiple groups and pages can be accessible to multiple groups, at the whim of the page's creator.
Those are the two things that I want, above all else, and I haven't found it in open source, at least not out of the box. Which, of course, is why open source is open source.
There's been some interesting work using wikis for testing and software development. EG, movement towards literate programming -- allowing pages to exist as both code and documentation that is compiled down into one or the other (or, I suppose, both simultaneously).
They have a regular session about this at the annual WikiSym conference.
I think one direction of Wikis is going from open ended collections of documents to an "everyone can edit but with more structure" applications like SO.
Another direction that I've seen is more direct integration with other project support tools, so project planning, issue management, and all that stuff.
Personally, I think the next big direction is going to be some sort of multimedia based Wiki, not just a Wiki where multimedia can be embedded in the text.
I really like MediaWiki. It's widely used and free/Free. The markup syntax is straightforward and allows you to do enough basic styling that you don't need to use custom HTML or to use a WYSIWYG. I assume by "sexy web 2.0" you mean Flash/AJAX, but I like MediaWiki because it works cleanly with basic HTML/Javascript (you don't have to wait for custom widgets to load, etc...).
What makes wikis reach their potential of usefulness is the community that develops around them more than the software itself. You need to find a niche where people are both passionate about (but not criminally insane about) the central topic and have enough technical prowess to log on to a website and edit some text.
"Wiki" is ultimately just a pattern:
Open editing by all/most visitors
Integrated revision tracking and rollback to reduce the cost of mistakes
Simple syntax for cross-linking between articles, and auto-creation of stub articles when referenced
That's not a perfect description, but it's a combination that isn't particularly magic. Successful wikis combine those things with a critical mass of people creating and maintaining content.
The next step, IMO, is less about web 2.0 shininess and more about the integration of better structural information. Adding any metadata beyond "this points to that" is an exercise in brute force hand-markup. Maybe microformats? Maybe the development of more structured knowledgebase software that uses wiki-ish editing UI but a smarter backend? I'm not sure, but I think better handling of the structured data is really the next wave.
Extensibility.
Check out DekiWiki, they are doing an excellent job with this.
DekiWiki extensions
The wiki-of-the-future will be completely editable online, concurrently by everyone. Check out EtherPad for a demo of the techonology.
For me, in terms of Enterprise style uses for a wiki, I have a couple of thoughts;
An effective way to keep and synchronise a central, web based wiki with multiple, offline, desktop style wiki's for people on the go
To move towards wiki as a function as opposed to wiki as a system, so we can integrate the wiki collaborative system into other things