tags:

views:

41

answers:

2
+1  Q: 

form variables and double quotes

I am populating form variables from a database. If the field value has a double quote in it, such as 3" for 3 inches, then the html source looks like the following:

<input name="width" value="3"">

Q: How do I handle fields that contain double quotes?

I first thought it was a cfqueryparam problem, but it turns out it's an html problem.

+2  A: 

I think it's probably the browser, you need to encode the quote using " in your HTML then it should pass properly.

Pete Freitag  2010-08-05 16:11:10
What if I say:<cfset form.FieldName = replace(qry.FieldName,'"','',"all")>Will get into the database?
cf_PhillipSenn  2010-08-05 16:15:54
Better to use built-in functions that already handle this - see my answer for details.
Peter Boughton  2010-08-05 16:26:03
Heh, just noticed this is you Pete - coincidentally I've just linked to your recent blog entry below. :) Slight tangent, but are you aware of this: http://www.owasp.org/index.php/ESAPI_ColdFusion_CFML_Readme - might be good to give Jason Dean and Bill Shelton a kick and get an even friendlier CF interface for ESAPI?
Peter Boughton  2010-08-05 16:35:31
Hi Peter, yes I was aware of that project, but I don't know that Jason or Bill are actively working on it anymore.
Pete Freitag  2010-08-16 19:21:04
+7  A: 

Use HtmlEditFormat when displaying the value.

Like this:

<input name="width" value="#HtmlEditFormat(Form.Width)#" />


There is also:

XmlFormat for XML output;
JsStringFormat for JavaScript output;
UrlEncodedFormat for URL content.

For more complete/heavyweight stuff, you could consider OWASP's ESAPI - a Java Security API which can be used from CF and provides the following:

Context        Method
-------        ------
HTML           esapi.encodeForHTML(variable)
HTML Attribute esapi.encodeForHTMLAttribute(variable)
JavaScript     esapi.encodeForJavaScript(variable)
CSS            esapi.encodeForCSS(variable)
URL            esapi.encodeForURL(variable)

(from Pete Freitag's cfunited presentation slides)

Peter Boughton  2010-08-05 16:25:28
D'oh! I _knew_ I should have gone to CFUnited this year!
cf_PhillipSenn  2010-08-05 16:58:07

related questions

Restarting ColdFusion mail queue
ColdFusion mail queue stops processing
in ColdFusion 8, can you declare a function as private using cfscript?
ColdFusion Template Request count optimization
How do I speed up data retrieval from .NET AD within ColdFusion
How to call a function dynamically that is part of an instantiated cfc, without using Evaluate()?
Using Google Maps in Coldfusion
We're manually mapping our internal data elements to external vendors' xml schema. there's gotta be a better way...
How do I turn a ColdFusion page into a PDF download?
Importing Access data into SQL Server using ColdFusion
jquery: JFrame plugin fails in IE 7
How do I programatically sanitise coldfusion cfquery parameters.
ColdFusion: Is it safe to leave out the variables keyword in a CFC?
How should you go about learning ASP.NET after life as a ColdFusion developer?
BOM not expected in CF but sent by IIS/SP
cfqueryparam with like operator in coldfusion
Is it possible to find code coverage in ColdFusion?
How can you test to see if two arrays are the same using CFML?
Why is my PDF footer text invisible?
Coldfusion - When to use the "request" scope?
How do I convert images between CMYK and RGB in ColdFusion (java)?
How do I use NTLM authentication with Active Directory
Dynamic Alphabetical Navigation
Wrapping lists into columns
How to get started "writing" a code coverage tool?