与ColdFusion CF9中的HTMLEditFormat函数相比,CF10有什么区别吗? [英] Is there a difference with the HTMLEditFormat function in ColdFusion CF9 versus CF10?
问题描述
我看到HTMLEditFormat在CF9和CF10中的工作方式有所不同。
HTMLEditFormat(& gt;)
- 在CF9中:显示为& gt; (无差别)
- 在CF10中:显示为& amp; gt; (双重转义,对我来说是正确的)
我浏览了 CF10 notes ,并查看了 HTMLEditFormat文档,但是找不到任何提及这个函数如何工作的区别。有谁知道有什么区别,或知道文件证明没有什么区别? ...或者知道任何其他设置(ColdFusion或Web服务器)可能会导致这个工作不同?
(这个问题不是重复, encodeForHTML
。我理解这是理想的解决方案,但是我要求理解为什么 HTMLEditFormat
CF10。)
我无法想象为什么这个函数会有不同的行为。特别是当它计划进行CF 10的弃用。偶然,你是从 CFINPUT
标签中调用它吗?
< cfinput id =foovalue =#htmlEditFormat(someValue)#/>
p>
如果是这样,在CF6 - CF9中,该标签会自动使用 HTMLEditFormat()
。调用 HTMLEditFormat()
的第二个实例不会影响输出。但是CF 10+更新了标签以在值上使用 encodeForHTML()
。如果你还引入了一个 HTMLEditFormat()
,那么你是双重编码的输出。
安全,你应该停止使用 HTMLEditFormat()
并开始使用 encodeForHTML()
如果可用(CF10 +)。从ColdFusion 11开始, HTMLEditFormat()
已被正式弃用,并且ColdFusion 12应该完全删除该函数。
HTMLEditFormat()
只能编码4个字符:<>,&
。 >
encodeForHTML()
几乎编码每个字符,包括UTF-8字符更新的encodeFor函数是上下文,必须为正确的上下文(html,htmlattribute,js,css,xml等)选择正确的。
I'm seeing a difference in how HTMLEditFormat works in CF9 and CF10.
HTMLEditFormat(">")
- In CF9: showing up as ">" (no difference)
- In CF10: showing up as "&gt;" (double-escaped, which seems correct to me)
I've looked through the CF10 notes and reviewed the HTMLEditFormat documentation, but cannot find any mention of there being a difference in how this function works. Does anyone know of a difference, or know of documentation that proves there is no difference? ...Or know of any other settings (ColdFusion or web server) that might cause this to work different?
(This question is not a duplicate because am not asking about encodeForHTML
. I understand that is the ideal solution, but am asking to understand why HTMLEditFormat
might be different in CF9 vs. CF10.)
I can't imagine why that function would behave differently. Especially when it's was planned for deprecation going into CF 10. By chance, are you calling it from within a CFINPUT
tag?
<cfinput id="foo" value="#htmlEditFormat(someValue)#" />
If so, in CF6 - CF9, that tag uses HTMLEditFormat()
on values automatically. Calling a 2nd instance of HTMLEditFormat()
doesn't affect the output. But CF 10+ updated the tag to use encodeForHTML()
on values. If you also throw in an HTMLEditFormat()
, then you're double-encoding the output.
For better security, you should stop using HTMLEditFormat()
and start using encodeForHTML()
if it's available (CF10+). As of ColdFusion 11, HTMLEditFormat()
has been officially deprecated and by ColdFusion 12, the function should be removed completely.
HTMLEditFormat()
only encodes 4 characters: <, >, &, "
.
encodeForHTML()
encodes almost every character, including UTF-8 characters. The updated "encodeFor" functions are contextual, so you have to pick the right on for the right context (html, htmlattribute, js, css, xml, etc.).
这篇关于与ColdFusion CF9中的HTMLEditFormat函数相比,CF10有什么区别吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!