Copy link to clipboard
Copied
As part of generating an XML document (using CFXML and ToString), we have a section for user comments. As it's user input, we have to treat it as potentially malicous so we wrap the user comment with
<![CDATA[#userComment#]]>
This doesn't cover the corner case of the userComment containing ]]> itself. So we tried to use replace to "escape" the corner case like so
<![CDATA[#replace(userComment, "]]>", "]]]]><![CDATA[>", "ALL")#]]>
This works in testing
"Test ]]> comment" becomes "Test ]]]]><![CDATA[> comment"
but when we use CFXML (and then toString), it seems that CFXML strips out the ]]><![CDATA[.
Can we use the CDATA approach or should we drop that and just use EncodeForXML?
More details
CF Version: 2021 Update 6
Code summary:
<cfxml variable="xmlReport" casesensitive="yes">
...
<COMMENTS><![CDATA[#replace(userComment, "]]>", "]]]]><![CDATA[>", "ALL")#]]></COMMENTS>
...
</cfxml>
<cfset xmlString = ToString(xmlReport) >
Copy link to clipboard
Copied
ColdFusion is a tag-based language. So I would avoid any procedure that plays around with the character < or >. To be on the safe side, I would use encodeForXML instead.