Hi, I am able to get trycf.com to run a javascript alert(); I haven't tested any more js script codes beside simple alert();, but this kind of thing can be a vulnerability (bad guys send a trycf gist pretending to be a solution/demo, but when other people run the gist it run some javascript on their browsers) Anyone know who should I inform? Maybe tag them in this thread?

Hey Tomy, I personally don't use TryCF because CommandBox makes it so simple to try different CFML runtimes, and I have no idea how TryCF might secure JavaScript. Perhaps they disable eval(), no clue. But you are right, you don't need JavaScript to test CF syntax. But that said, CFML and JavaScript are not mutually exclusive either. JavaScript is the language of the Web and can easily be used to enhance front-end UX along with CFML. Although you can use frameworks like React, I prefer vanilla Javascript to capture user events. Maybe TryCF can help with that too, again I have no clue.

Yeah as a general matter having a tool parse arbitrary javascript is certainly in the 'bad' camp, but with tryCF you are the source of whatever you're putting in there, or at least you should know who is if you're running some random gist. So unless you're the malicious actor out to mess with yourself, I'm not sure what the attack vector would be

Example: https://trycf.com/gist/c5b22720d3d4a414eb1d86ca1fb4c777/lucee5?theme=monokai At least the 2nd js (send request to external site) is blocked by CORS policy (you can see it in browser console that the request is blocked). So I guess it is probably safe? If most of you guys already know that trycf will run JS and think it is ok then I will have no issue (before I run any gist, I do take a glance on what the gist people share or ask for qustion/help)

I mean yeah, I only run short gists that I look at first anyway

Yeah, I think the key here is that it does not auto-run so it's not like some jsfiddles which have been exploited for redirects etc