tracker issue : CF-3040920

select a category, or use search below
(searches all categories and all time range)

Bug 82039:HTMLEditFormat does not escape ampersands when they form part of certain entities

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Mike Nicholls / Mike Nicholls (mikenicholls)

Created: 02/10/2010

Components: Language, Functions

Versions: 9.0

Failure Type: Unspecified

Found In Build/Fixed In Build: 9,0,0,251028 / 272889

Priority/Frequency: Normal / Unknown

Locale/System: English / Platforms All

Vote Count: 4


HTMLEditFormat does not escape ampersands when they form part of certain entities.  This behaviour is not mentioned in the documentation, nor is it listed as a change from ColdFusion 8.   It is highly inconsistent, as it does not apply to all entities.  This issue makes it impossible to use HTMLEditFormat to create a form for safely editing HTML (as in the example I've provided).  Some of the user's input is effectively lost, as it does not get properly escaped.  It is a nasty backwards-compatibility issue, as applications written for earlier versions of ColdFusion will behave differently.

<cfparam name="form.myHTML" default=""><html><head><title>HTMLEditFormat() test</title></head><body><cfif Len(form.myHTML)><p>You submitted:</p><pre><cfoutput>#XMLFormat(form.myHTML)#</cfoutput></pre><p>Try hitting submit again.</p><cfelse><p>Try copying the HTML markup below into the form and submitting it.</p><pre>&lt;textarea&gt;This is my HTML markup. It has some entities in it, including &amp;amp;, &amp;raquo;, &amp;#60; and &amp;nbsp;.&lt;/textarea&gt;&lt;p&gt;I do not want to lose them.&lt;/p&gt;</pre></cfif><form method="POST"><textarea name="myHTML" rows="10" cols="40"<cfif Len(form.myHTML)> readonly</cfif>><cfoutput>#HTMLEditFormat(form.myHTML)#</cfoutput></textarea><input type="submit"></form></body></html>

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3040920

External Customer Info:
External Company:  
External Customer Name: Mike Nicholls
External Customer Email: 1932664644160A2F992015D5
External Test Config: 02/10/2010