0

I have

<form action="?#cgi.query_string#" method="post" ...

The cgi.query_string comes in with an indefinite number of variables. I tried using

<form action="?#EncodeForURL(cgi.query_string)#" method="post" ...

Should I be doing any kind of escaping?

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
  • I think this `action="?#cgi.query_string#"` is actually unnecessary; if you omit the `action` attribute then the page will submit to itself (including the query string). Not sure that actually answers your question. – David Faber Jun 06 '18 at 18:21
  • It drops the `cgi.query_string` if I do that. – James A Mohler Jun 06 '18 at 18:25
  • The `EncodeForURL()` function should be doing the escaping for you. What problem are you having with the code you shared? – Miguel-F Jun 11 '18 at 15:41
  • if I use EncodeForURL(), the `&` and = are excaped. It become just a long string – James A Mohler Jun 11 '18 at 16:09
  • But it still works, right? – Miguel-F Jun 11 '18 at 18:30
  • No it doesn't work. – James A Mohler Jun 11 '18 at 19:52
  • Ah okay, hence your question. I assumed the browser would interpret the encoded characters for you. Does it work if you add this `application/x-www-form-urlencoded` to your form? I realize that has to do with `form` data but I'm curious if it will also help in handling the encoded query string. – Miguel-F Jun 12 '18 at 15:58

1 Answers1

1

You are using method="POST" in your form tag. So you're trying to have a page with both a query string (URL scope) and a form body (FORM scope), correct?

I'm not sure that's best practice or even allowed by some browsers (I read elsewhere they'll strip query strings on POST actions).

The best solution might be to make the action either GET or POST, and loop through the query string making each item a hidden input?

<cfloop list="#CGI.query_string#" delimiters="&" index="i">
  <input
  type='hidden'
  name='#listFirst(i, "=")#'
  value='#listLast(i, "=")#'
  />
</cfloop>

As you say, you can't do this. Your specific question was whether you should do any escaping. The answer to that is "yes" and the location is going to be on the backend, parsing the query string.

<cfoutput>
  <form action='?#CGI.query_string#' method='POST' class='form-horizontal bordered-group' role='form' id='test'>
    <input
    class='form-control'
    type='text'
    name='formvar'
    />
    <input
    class="btn btn-primary btn-lg btn-block"
    type="submit"
    value="Submit"
    />
  </form>
</cfoutput>

Will submit a form to the same page, with the FORM scope present, the URL scope present, and the CGI.query_string defined. The CGI.query_string will have url formatting (%20 for space, etc). The FORM and URL scopes will already be decoded (%20 converted to space, etc).

It seems the crux of your question is really about security and sanitization. In which case you'll want to examine encodeForHTML() (Adobe Docs for encodeForHTML()).

Obviously, this isn't 100% foolproof, since I don't know the details of your code and what you do with the input. But those sanitization functions should be a good start.

So very generally, if you use the URL scope, use encodeForHTML(), and if you use #CGI.query_string#, it will be URL-encoded.

Sean Hogge
  • 386
  • 2
  • 14
  • I am trying to both. ColdFusion will process url params and form at the same time. I inherited this code. If it were up to me, I would only do one way, but that is currently not an option. – James A Mohler Jun 11 '18 at 14:47
  • My primary concern is if there there is a URL inject attack that is possible by no escaping `CGI.query_string`. If so, what do I do about it. – James A Mohler Jun 11 '18 at 16:11
  • Ah, ok, you're talking security. I'll update my answer again to address that. – Sean Hogge Jun 12 '18 at 14:41
  • 2
    You should not be recommending `htmlEditFormat()` or `htmlCodeFormat()` any more. Those are the old methods for handling escaping. Newer versions of ColdFusion come with the antiSamy libraries installed. The new `encodeFor...` methods should be used instead. – Miguel-F Jun 12 '18 at 15:55
  • 1
    Nothing to do with the question, but if you plan to re-encode the params individually, watch out for empty params. listLast() gives the wrong answer in that case https://trycf.com/gist/782af2b6ff1b5f3ea9997ee8593cdca4/acf2016?theme=monokai – SOS Jul 11 '18 at 14:43