tracker issue : CF-3861951

select a category, or use search below
(searches all categories and all time range)

CFForm issue in CF11

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Geomon Augustin / Geomon Augustin (2_ColdFusion)

Created: 12/03/2014

Components: CFForm, HTML

Versions: 11.0

Failure Type:

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Major / Most users will encounter

Locale/System: English / Win 2008 Server R2 64 bit

Vote Count: 2

Listed in the version 2016.0.0.297996 Issues Fixed doc
Verification notes: verified_fixed on July 29, 2017 using build 2016.0.01.298513
Problem Description:

We found an issue related to the FORM submission in CF11. If the action attribute is not specified in the cfform tag, it does not generate the action using the current URL(Query-string values containing specific text are getting truncated ) .

Steps to Reproduce:

      Create a FORM using <CFFORM > tag without 'action' attribute      
         Example :
          URL Before form submission : -          

Actual Result:

         URL After form submission : -

Expected Result:

Any Workarounds:

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3861951

External Customer Info:
External Company:  
External Customer Name: 2_ColdFusion
External Customer Email:  
External Test Config: My Hardware and Environment details:

ColdFusion 11 , windows server 2008 R2 standard



It doesnot occur in all cases , it seems to get truncated when the query string contains specific text like 'prod'
Comment by External U.
9729 | December 03, 2014 10:58:59 PM GMT
For discussion and test cases, see
Comment by External U.
9730 | December 04, 2014 06:37:04 AM GMT
+1 vote. The bug leads to (URL) data loss, which can have a big impact on your application.
Vote by External U.
9737 | December 04, 2014 06:54:22 AM GMT
test - subscribing for notifications
Comment by External U.
9731 | December 04, 2014 12:55:20 PM GMT
I can't seem to find any difference in url without "action" attribute. Do you have any specific code, to repro this?
Comment by Anit K.
9732 | December 04, 2014 01:21:28 PM GMT
Hi Anit Kumar, follow the forum link I gave earlier.
Comment by External U.
9733 | December 04, 2014 01:50:00 PM GMT
Wow, good find! This issue exists when the URL contains any HTML character entity, not just &prod. It's b/c CF is essentially running something like canonicalize(CGI.QUERY_STRING, true, true, true) when generating the default cfform action. Instead, CF should be canonicalizing each parameter name and parameter value independently. There's some history to this: Adobe had originally removed the default form action in CF10 (and released a hotfix to do the same for CF8 and CF9) due to XSS. However, this caused URL parameters to vanish when passed into a CF AJAX container, after submitting a form w/in the container: index.cfm ------------ <cfwindow|layoutarea|etc source="page.cfm?name=value&..".. page.cfm: <cfform><cfinput type="submit" name="submit" value="submit" /></cfform> Once the form was submitted, the "?name=value&.." data vanished from the form action. So I suggested that CF encode the default form action, instead of removing it. But, Adobe, I suggested that each name and value be treated separately (not canonicalize/enocode the entire CGI string). Can the canonicalization please be done on each parameter name and parameter value independently - and then this issue should be resolved? Thanks!, -Aaron
Comment by External U.
9734 | December 06, 2014 06:15:40 AM GMT
+1 ......................
Vote by External U.
9738 | December 06, 2014 06:19:01 AM GMT
Filed #CF-3924625 for canonicalizeURL(). <cfform> could use that to skip the ampersands when canonicalizing query strings. Thanks!, -Aaron
Comment by External U.
9735 | January 21, 2015 04:12:13 AM GMT
Verified this is fixed in CF2016 Update 1 (build 2016.0.01.298513). Hopefully CF-3924625 can be implemented in Aether, b/c we need a BIF that canonicalizes URLs correctly. Thanks!, -Aaron
Comment by Aaron N.
9736 | July 29, 2017 06:04:37 PM GMT