• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CFXML, CDATA and escaping ]]>

New Here ,
Apr 05, 2023 Apr 05, 2023

Copy link to clipboard

Copied

As part of generating an XML document (using CFXML and ToString), we have a section for user comments. As it's user input, we have to treat it as potentially malicous so we wrap the user comment with

<![CDATA[#userComment#]]>

This doesn't cover the corner case of the userComment containing ]]> itself. So we tried to use replace to "escape" the corner case like so

<![CDATA[#replace(userComment, "]]>", "]]]]><![CDATA[>", "ALL")#]]>

This works in testing

"Test ]]> comment" becomes "Test ]]]]><![CDATA[> comment"

 but when we use CFXML (and then toString), it seems that CFXML strips out the ]]><![CDATA[.

Can we use the CDATA approach or should we drop that and just use EncodeForXML?

 

More details

CF Version: 2021 Update 6

Code summary:

<cfxml variable="xmlReport" casesensitive="yes">
...
<COMMENTS><![CDATA[#replace(userComment, "]]>", "]]]]><![CDATA[>", "ALL")#]]></COMMENTS>
...
</cfxml>

<cfset xmlString = ToString(xmlReport) >

Views

175

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Apr 24, 2023 Apr 24, 2023

Copy link to clipboard

Copied

LATEST

ColdFusion is a tag-based language. So I would avoid any procedure that plays around with the character < or >. To be on the safe side, I would use encodeForXML instead.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation