Skip to main content
M
MrFelna
Participant
April 5, 2023
Question

CFXML, CDATA and escaping ]]>

  • April 5, 2023
  • 1 reply
  • 228 views

As part of generating an XML document (using CFXML and ToString), we have a section for user comments. As it's user input, we have to treat it as potentially malicous so we wrap the user comment with

<![CDATA[#userComment#]]>

This doesn't cover the corner case of the userComment containing ]]> itself. So we tried to use replace to "escape" the corner case like so

<![CDATA[#replace(userComment, "]]>", "]]]]><![CDATA[>", "ALL")#]]>

This works in testing

"Test ]]> comment" becomes "Test ]]]]><![CDATA[> comment"

 but when we use CFXML (and then toString), it seems that CFXML strips out the ]]><![CDATA[.

Can we use the CDATA approach or should we drop that and just use EncodeForXML?

 

More details

CF Version: 2021 Update 6

Code summary:

<cfxml variable="xmlReport" casesensitive="yes">
...
<COMMENTS><![CDATA[#replace(userComment, "]]>", "]]]]><![CDATA[>", "ALL")#]]></COMMENTS>
...
</cfxml>

<cfset xmlString = ToString(xmlReport) >
    This topic has been closed for replies.

    1 reply

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    April 24, 2023

    ColdFusion is a tag-based language. So I would avoid any procedure that plays around with the character < or >. To be on the safe side, I would use encodeForXML instead.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices