"this.tag.cflocation.addtoken = false;" doesn't always work in cfscript

I had this code in my application.cfc:
this.tag.cflocation.addtoken = false;

and then in onRequestStart:

if (needsLogin) {

It redirected to my login page, but with ?CFID=xxx&CFTOKEN=yyy added.
At first I thought that the tag default setting was just not working, but after some experimentation I found that if I called it like this:
location url=loginUrl;
It worked fine (no token added to URL)

This seems to have something to do with the handling of the myriad ways a tag can be called from cfscript… “cf” prefix or not, parentheses or not, named params or not, and param assignment operator(param=value or param: value).
There doesn’t seem to be any guide as to what syntax you can use for what tags, so I tested out some variations and I found these results:

location(url=login); // bad: CFID/CFTOKEN added to url
location(url:login); // bad
location(login); // bad
location url=login; // good: clean url

cflocation(url=login); // good
cflocation(url:login); // good
cflocation(login); // syntax error
cflocation url=login; // syntax error

Kind of a confusing set of results, as far as what syntax is allowed…
Anyhow, it seems that whenever calling location using function() syntax and no “cf” prefix, it ignores the addtoken = false default setting.

As an aside, I’m wondering why I even need this setting. Why is cflocation defaulting to addtoken = true in the first place? We recently ported our app over from a really old version of BlueDragon, which never added any tokens. I talked to another Lucee developer, and he seemed to think this behavior was odd as well. He claims Lucee doesn’t do this by default on his sites.

I can’t think of a situation where I would ever want to add a token to a redirected url, since it’s used as the session ID and only causes security problems for shared urls.

So… not sure if this is an actual bug, or just an artifact of the somewhat inconsistent tag syntax in cfscript. I’d love to hear from anybody with more Lucee/CF experience in general.


Same results on 2 systems:
OS: Windows 2019 Server
Java Version: OpenJDK 11.0.3
Tomcat Version: 9.0.19
Lucee Version:

OS: MacOS 10.15.2
Java Version: 13.0.2
Tomcat Version: 9.0.11
Lucee Version:

1 Like

I believe this is the default ACF setting. Lucee makes every effort at being compatible even if the choices are not ideal.

Default value is false (when the secure profile enabled). <-- ie. true without “secure profile”

The syntax options are a result of Lucee (nee Railo) pioneering a specific syntax and then Adobe using a different syntax when they caught up. Then Lucee was forced to support its own and the ACF syntax.

As far as I’m aware the behaviour for both styles of syntax should be the same; ie this looks like an error

location(url=login); // bad: CFID/CFTOKEN added to url

Out of curiosity, which syntax is Lucee/Railo, and which is ACF?

The more elegant syntax of course :wink:

Here’s a post from @bennadel on his discovery of the Lucee tag syntax:

And the docs from ACF when they caught up:

OK, so I guess native lucee cftag syntax is no parens, args with equal signs:

tagname_without_cf_prefix arg="val" arg2="val" {
  // optional body

Now what about custom tags though? Our project has a bunch of them but they don’t seem to follow the same rules… I left this out of the initial report, but maybe related?

<!--- custom logging tag --->
<cf_tag_trace outputline="some debugging output">

  cf_tag_trace(outputline="got here"); // works
  cf_tag_trace(outputline: "got here"); // works
  cf_tag_trace outputline="got here"; // Error: Missing [;] or [line feed] after expression
  tag_trace outputline="got here"; // Error: Missing [;] or [line feed] after expression
  tag_trace(outputline="got here"); // Error: No matching function [tag_trace] found

  // positional args? nope :(
  cf_tag_trace("got here"); // Invalid Identifier, the following character cannot be part of an identifier ["]
1 Like

Oh… hehe, I guess I wasn’t quite doing the lucee tag syntax correctly.
Eliminate only the “cf” prefix… not “cf_”:

  _tag_trace outputline="got here"; // consistency!  Yes!!!

Now, if only I could get positional args working… I guess it would need to be implemented as a function rather than a custom tag, eh?

My takeaway: calling tags in cfscript may look like function calls, but is actually parsed/handled differently.

1 Like

Update: One of our installations was reporting an error No matching function [tag_trace] found
It was using the syntax:

cf_tag_trace(outputline="got here");

I tried changing it to the Lucee/Railo syntax:

_tag_trace outputline="got here";

but that didn’t work either. Now I got the error: Missing [;] or [line feed] after expression

I noticed it was using an older version of Lucee… v5.3.1.102
not upgraded from the initial installation, like my dev version was.

Anyways, I tried all of the versions between and and found that neither custom tag syntax worked below (both syntaxes work after that)

So it seems the problem is resolved now, but out of curiosity, is there a safe syntax to use for custom tags within cfscript in lucee before 5.3.5.x? That seems really recent.

I’m going to have to upgrade a lot of lucee installations since I just recently started trying to use cfscript more…I like it when code looks like code, rather than markup :wink: