Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Issues

Select view

Select search mode

 
4 of 4

CFOutput and writeOutput()'s encodeFor attribute cannot be set to nothing

Fixed

Description

I can use a variable to set the encodeFor attribute of the cfoutput tag like so:

<cfset name="brad <br> wood"> <cfset encodeFor="html"> <cfoutput encodeFor="#encodeFor#"> #name# </cfoutput>

But there is no value I can put in the variable which will cause the tag to NOT encode the output. Setting it to an empty string or text like “none” just throws an error:

value [] is invalid, valid values are [css,dn,html,html_attr,javascript,ldap,sql,vbscript,xml,xml_attr,xpath]

This will also be needed once this ticket is fixed and the encodeFor attribute can be defaulted for the entire application.

https://luceeserver.atlassian.net/browse/LDEV-4008

The same limitation also applies to the encodeFor argument of the writeOutput() BIF.

Environment

None

Details

Assignee

Reporter

Priority

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Created 27 May 2022 at 20:54
Updated 29 August 2022 at 13:45
Resolved 29 August 2022 at 13:45

Activity

Show:

Pothys - MitrahSoft31 May 2022 at 11:29

Pothys - MitrahSoft31 May 2022 at 07:46

I've checked this issue and confirmed the issue on the lucee latest version 5.3.10.10-SNAPSHOT and ESAPI extension version 2.2.4.7. Yes, cfoutput/writeoutput encodeFor doesn't support the values empty string/none. It throws an error like value [] is invalid, valid values are [css,dn,html,html_attr,javascript,ldap,sql,vbscript,xml,xml_attr,xpath]. Seems it works fine in ACF.

I added a fix to this ticket
Pull Request: https://github.com/lucee/extension-esapi/pull/7

Flag notifications