3 Replies Latest reply on May 4, 2007 4:06 PM by ScottHussey

    XML (wddx) in HTML form data

      Is it possible when submitting a form to a Coldfusion server to keep form data from being fully decoded?

      My application has the basic architecture of an interface page and a submission page.

      In the interface page: The form onSubmit event calls Javascript that reads all of the form elements and packages them into a structure and serializes them into a WDDX string. I wrote the Javascript to WDDX serializer and transform &, ', ", >, and < into the corresponding XML entities. A single form element is set to the WDDX string and the form submission continues.

      On the submission page: The WDDX string is deserialized and some checks are done and a database stored proc is executed. In one condition, the submitted request is saved to the database and all works fine for all WDDX/XML values. In the second case, the user is requested to confirm that they want to overwrite current database data. The WDDX/XML is placed in a hidden form field. When the user confirms the overwrite, the form calls back to the submission page. This is where the problem lies. If the WDDX/XML data in the hidden form field contains character entities (e.g. &amp; &quot;), they are translated back to their literal (&, ") and then cfwddx errors out because those characters are illegal in WDDX/XML. I understand that the XML string has to be encoded for the HTTP POST, but why is it not decoded back to how it appears in the form?

      I did a simpler test just to isolate the problem and the simple example below illustrates the problem. If you enter the string "&amp;" in the form and submit it, & is printed. This doesn't seem correct.

      <cfif isdefined("inputString")>

      <form method="POST">
      <textarea name="inputString"></textarea>
      <input type="submit">
        • 1. Re: XML (wddx) in HTML form data
          insuractive Level 3
          The example you gave works fine on my machine. Are you viewing the source code to see what the real response is? IE will translate a &amp; in the HTML into "&" on screen.
          • 2. XML (wddx) in HTML form data
            insuractive Level 3
            I should also mention that we do a fair amount with WDDX (passing it in hidden form fields, etc) and we haven't noticed a problem with character entities.
            • 3. XML (wddx) in HTML form data
              ScottHussey Level 1
              Thanks for your reply. You are right, I didn't check my example carefully. That works correctly. But I can confirm that my actual problem was accurate. If the request contains data with &,<,>,'," chars, something like the attached code works only if the original request does not already exist. If the user is required to use the generated confirmation form, the cfwddx tag throws an error because submitting the form decodes the character entities before the cfwddx call. I look at the source and the value of the hidden field contains &amp;, but if I print the wddxString out before the cfwddx call, it contains & in the source when the confirmation is submitted. If "fixed" it by using URLEncodedFormat() and URLDecode() on the wddxString.