tracker issue : CF-4205004

select a category, or use search below
(searches all categories and all time range)

Update esapi.jar to 2.2

| View in Tracker

Status/Resolution/Reason: To Fix//BugVerified

Reporter/Name(from Bugbase): Bernhard D. / ()

Created: 08/13/2019

Components: General Server, Security

Versions: 2018

Failure Type: Incorrectly functioning

Found In Build/Fixed In Build: 2018.0.4+314546 /

Priority/Frequency: Normal / Few users will encounter

Locale/System: / Win 2012 Server x64

Vote Count: 0

Problem Description:
Converting strings between HTML-encoding and JavaScript-encoding does not work even if canonicalize parameter is set to true.
ColdFusion currently comes with esapi-2.1.0.jar
According to my tests this was an issue in the esapi jar and is fixed in the most recent version esapi-
I was working with legacy code and replaced all occurrences of HTMLEditFormat with EncodeForHTML and  JSStringFormat with EncodeForJavaScript.
This led to double encodings which I wanted to correct by setting the second parameter to true.
This resulted in the word starting with the lower case ü instead of an upper case Ü

Steps to Reproduce:
I have a word that starts with "LATIN CAPITAL LETTER U WITH DIAERESIS" - Ü
This word is converted to HTML encoding using the esapi function EncodeForHTML. Then, it is encoded for a second time using EncodeForJavaScript.
<cfset strGermanWord = "Überraschung">
<cfset strHTMLEncoded = EncodeForHTML( strGermanWord )>
<cfset strJSEncodedOrig = EncodeForJavaScript( strGermanWord )>
<cfset strJSEncoded = EncodeForJavaScript( strHTMLEncoded, true )>

Actual Result:

"\xDC" is upper case; "\xFC" is lower case

Expected Result:

Any Workarounds:
No workaround :(
ColdFusion 2016 also uses that old esapi library.