tracker issue : CF-4201329

select a category, or use search below
(searches all categories and all time range)
Title:

The encodeFor value is not passed to nested cfoutput tags

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/Fixed

Reporter/Name(from Bugbase): Peter Freitag / Peter Freitag ()

Created: 02/23/2018

Components: Tags

Versions: 2016

Failure Type: Enhancement Request

Found In Build/Fixed In Build: 2016,0,05,303689 / 308761

Priority/Frequency: Normal /

Locale/System: / Mac All

Vote Count: 1

Problem Description: If you have a cfoutput tag with encodeFor specified it does not apply the encoding to nested cfoutput tags. The entire point of encodeFor is to make it easy for developers to fix XSS holes, it should not have to be added to each nested cfoutput tag.

Steps to Reproduce:

Take a query and cfoutput over it with encodefor then use the group attribute and add a nested cfoutput tag.  For example:

<cfset news = queryNew("id,title,category", "integer,varchar,varchar")>
<cfset queryAddRow(news)>
<cfset querySetCell(news, "id", "1")>
<cfset querySetCell(news, "title", "Dewey defeats Truman <foo>")>
<cfset querySetCell(news, "category", "Headlines")>	
<cfset queryAddRow(news)>
<cfset querySetCell(news, "id", "2")>
<cfset querySetCell(news, "title", "Men walk on Moon")>
<cfset querySetCell(news, "category", "Headlines")>

<cfoutput query="news" group="category" encodefor="html">
	<cfoutput>
		<h1>#news.title#</h1>
	</cfoutput>
</cfoutput>

I also tested a case where you have a cfoutput and then cfinclude another file which has a cfoutput, I would also expect this to carry the parent cfoutput. For example:

<cfoutput><cfinclude template="greet.cfm"></cfoutput>

greet.cfm: <cfoutput>Hi #url.name#</cfoutput>

Actual Result:

The news.title is not encoded for HTML in the nested group cfoutput and url.name is not encoded in the cfincluded page which has a nested cfoutput.

Expected Result:

I would expect that it would encode for HTML

Any Workarounds:

You can add encodeFor to the nested cfoutput.

Attachments:

  1. February 23, 2018 00:00:00: cfoutput.cfm

Comments:

One thing I forgot to mention is that in fixing this there might be a case where you do not want to apply the parent cfoutput encoding and there would be no way to turn that off. Perhaps something like encodeFor="nothing" would be able to revert it back to not encoding in the very rare circumstances that you did not want it to nest.
Comment by Peter F.
92 | February 23, 2018 06:20:38 PM GMT
+1 for encodeFor to propagate to child cfoutput and includes, as long as encodeFor="nothing" is added as a way to prevent propagatation on a case-by-case basis. Nice suggestions! Too bad there's no encodeFor="all" to smartly encode all the variables for their contexts, w/o having to pepper the code w/ encodeFor*() functions.
Vote by Aaron N.
26398 | March 28, 2018 03:23:28 AM GMT