Search code examples
javascriptencodingcoldfusionxssesapi

ColdFusion Encoding Issue - encodeForHTML and encodeForJavascript Drops Backslashes

To protect against Cross-site Scripting (XSS) I'm using what OWASP recommends, the ESAPI (Enterprise Security API). The esapi.jar file has been included with prior version of ColdFusion but in CF10 you can now easily call some of these helpful functions: encodeForJavascript(), encodeForHTML(), encodeForURL(), encodeForCSS(), and encodeForHTMLAttribute().

I am having troubles with encodeForJavascript(), I'm losing my backslash...

<cfoutput>
    <cfif isDefined("url.name")>
        <!--- Here is the problem, this is identical to the original ascii32to126 string except for one char is missing, the backslash between the brackets ...Z[]... --->
        #url.name#
        <cfabort>
    </cfif>

    <!---
    ASCII 32 thru 126
    !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
    In the line below I double up on the double-quotes and pounds in order to get the cfset to work
    --->
    <cfset ascii32to126 = "!""##$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~">

    <script>
        function locateTo(value)
        {
            window.location='thisPage.cfm?name='+encodeURIComponent(value);
            //alert('thisPage.cfm?name='+encodeURIComponent(value));
        }
        locateTo('#encodeForJavaScript(ascii32to126)#');
    </script>
</cfoutput>

I first call encodeForJavaScript() because we are in the JavaScript context.

Then I call encodeURIComponent() to make sure the URL is built properly.

Everything works fine but on the resulting page I have lost my backslash \. What am I missing here?

(Yes, I am aware I also have to protect where I output #url.name#. For this experiment I didn't do that because I needed to view the source to see if the string matched the original string.)

** UPDATE ** - I am running ColdFusion 10 with all the latest patches applied. Problem seems to be in encodeForJavaScript().

Fails with JSStringFormat() also. Doing this shows the backslash is missing for both...

<cfset ascii32to126 = "!""##$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~">
<cfoutput>
    #encodeForHTML(encodeForJavaScript(ascii32to126))#
    <br><br>
    #encodeForHTML(JSStringFormat(ascii32to126))#
</cfoutput>
Solution

  • (2+ years later) It appears to have since been fixed by Adobe or the ESAPI people. All characters including the backslash are retained. I am now running these versions...

    Server Product: ColdFusion

    Version: 11,0,09,299201

    Tomcat Version: 7.0.68.0

    Edition: Developer

    Operating System: Windows 10

    OS Version: 10.0

    Update Level: C:/ColdFusion11/cfusion/lib/updates/chf11000009.jar

    Adobe Driver: 5.1.3 (Build 000094)

    Java Version: 1.8.0_91

    Java Vendor: Oracle Corporation