tags:

views:

41

answers:

2

I am populating form variables from a database. If the field value has a double quote in it, such as 3" for 3 inches, then the html source looks like the following:

<input name="width" value="3"">

Q: How do I handle fields that contain double quotes?

I first thought it was a cfqueryparam problem, but it turns out it's an html problem.

+2  A: 

I think it's probably the browser, you need to encode the quote using " in your HTML then it should pass properly.

Pete Freitag
What if I say:<cfset form.FieldName = replace(qry.FieldName,'"','',"all")>Will get into the database?
cf_PhillipSenn
Better to use built-in functions that already handle this - see my answer for details.
Peter Boughton
Heh, just noticed this is you Pete - coincidentally I've just linked to your recent blog entry below. :) Slight tangent, but are you aware of this: http://www.owasp.org/index.php/ESAPI_ColdFusion_CFML_Readme - might be good to give Jason Dean and Bill Shelton a kick and get an even friendlier CF interface for ESAPI?
Peter Boughton
Hi Peter, yes I was aware of that project, but I don't know that Jason or Bill are actively working on it anymore.
Pete Freitag
+7  A: 

Use HtmlEditFormat when displaying the value.

Like this:

<input name="width" value="#HtmlEditFormat(Form.Width)#" />


There is also:

XmlFormat for XML output;
JsStringFormat for JavaScript output;
UrlEncodedFormat for URL content.

For more complete/heavyweight stuff, you could consider OWASP's ESAPI - a Java Security API which can be used from CF and provides the following:

Context        Method
-------        ------
HTML           esapi.encodeForHTML(variable)
HTML Attribute esapi.encodeForHTMLAttribute(variable)
JavaScript     esapi.encodeForJavaScript(variable)
CSS            esapi.encodeForCSS(variable)
URL            esapi.encodeForURL(variable)

(from Pete Freitag's cfunited presentation slides)

Peter Boughton
D'oh! I _knew_ I should have gone to CFUnited this year!
cf_PhillipSenn