<@U01EY27APNH> Same with this ticket <https://trac...
# adobeb
bdw429s
02/10/2022, 6:04 AM@Mark Takata (Adobe) Same with this ticket https://tracker.adobe.com/#/view/CF-4205110 I have searched my E-mail and I have zero messages from the bug tracker about this ticket, yet it is closed and without even as much as a comment. It's marked working as designed, but this is crazy. You can't be rendering HTML from error messages in your error templates . That's an XSS waiting to happen. EncodeForHTML() should be junior level stuff here.
bdw429s
02/10/2022, 6:06 AMOn this one, I know there are error messages in CF that have historically included HTML. It's terrible and it needs to stop. That doesn't even make sense when storing an error message in a log file or displaying it in any non-HTML context.
m
Mark Takata (Adobe)
02/10/2022, 4:18 PMedit: hmmm I was wrong.
Mark Takata (Adobe)
02/10/2022, 4:20 PMSo, if I do this:
Copy code
<cfscript>
writeDump("my #chr(10)# message");
</cfscript>Mark Takata (Adobe)
02/10/2022, 4:30 PMSo this works... somehow
Mark Takata (Adobe)
02/10/2022, 4:30 PMBut when I try to run it locally, it does not have that same functionality. CFFiddle must be doing something to encode/decode HTML on the way in and out? Weird.
b
bdw429s
02/10/2022, 9:56 PM@Mark Takata (Adobe) The answer to this is simple-- CFFiddle is just using a try catch around your code and it has a custom error handler which makes the sensible choice to HTML encode the error messages. Note my ticket refers to the default error page-- so unless you're hitting that, you're not reproducing the ticket.