We are moving a client from Railo to Lucee and we have come across an
interesting issue.
test1.cfm
test2.cfm
#URL.Message#
Railo shows: This is a test message
Lucee shows: This+is+a+test+message
In Railo if you entered “test2.cfm?message=This+is+a+test” in a cflocation
it would just send the URL as is. In lucee it URL encodes it to
“test2.cfm?message=This%2Bis%2Ba%2Btest”.
We have disabled cross site scripting in admin and that didn’t help. Can
someone give this a try or have you seen this before. I’s there a
difference in the way lucee handles cflocation?
We are moving a client from Railo to Lucee and we have come across an
interesting issue.
test1.cfm
test2.cfm
#URL.Message#
Railo shows: This is a test message
Lucee shows: This+is+a+test+message
In Railo if you entered “test2.cfm?message=This+is+a+test” in a
cflocation it would just send the URL as is. In lucee it URL encodes
it to “test2.cfm?message=This%2Bis%2Ba%2Btest”.
We have disabled cross site scripting in admin and that didn’t help.
Can someone give this a try or have you seen this before. I’s there
a difference in the way lucee handles cflocation?
Thanks in advance!
Get 10% off of the regular price for this years CFCamp in Munich,
Germany (Oct. 20th & 21st) with the Lucee discount code Lucee@cfcamp.
189€ instead of 210€. Visit CFCamp 2016
While I have not tested this behavior as being different between Railo and
Lucee, I feel the proper behavior is being done by Lucee in this case.
Might I suggest taking a different approach here altogether?
First, your code is highly insecure. Passing message data around on the URL
like that is inherently dangerous and could lead to reflected XSS attacks
against your site. The better approach is to do something like:
test2.cfm?message=XXX
Where XXX is usually a number or combination of letters you then use within
test2.cfm:
if(URL.message eq XXX) {
writeOutput( ‘This is my test message’ );
}
Or, if you expect a number of different messages you could switch/case it
and have a catch-all defaultCase, etc.
At the very least, if you don’t want to do that, then you should do
something like this:
test2.cfm?message=#urlEncodedFormat( ‘My test message’ )#
Can someone give this a try for us. Just trying to see if it is our
install or just a difference between Railo and Lucee. Is there a way to
change this behavior if it is just Lucee?