As part of generating an XML document (using CFXML and ToString), we have a section for user comments. As it's user input, we have to treat it as potentially malicous so we wrap the user comment with
This doesn't cover the corner case of the userComment containing ]]> itself. So we tried to use replace to "escape" the corner case like so
<![CDATA[#replace(userComment, "]]>", "]]]]><![CDATA[>", "ALL")#]]>
This works in testing
"Test ]]> comment" becomes "Test ]]]]><![CDATA[> comment"
but when we use CFXML (and then toString), it seems that CFXML strips out the ]]><![CDATA[.
Can we use the CDATA approach or should we drop that and just use EncodeForXML?
CF Version: 2021 Update 6
<cfxml variable="xmlReport" casesensitive="yes"> ... <COMMENTS><![CDATA[#replace(userComment, "]]>", "]]]]><![CDATA[>", "ALL")#]]></COMMENTS> ... </cfxml> <cfset xmlString = ToString(xmlReport) >
ColdFusion is a tag-based language. So I would avoid any procedure that plays around with the character < or >. To be on the safe side, I would use encodeForXML instead.