0 Replies Latest reply on Jul 9, 2015 12:36 PM by davecordes

    ColdFusion 10 vs 11 Escaping Input Parameters

    davecordes Level 1

      Hi,

       

      I just recently upgraded to ColdFusion 11 from ColdFusion 10 and noticed that quotation marks are not being escaped in ColdFusion 11 when those are entered in a textbox.

       

      Here is an image from my ColdFusion 10 server where the quotation marks are automatically being escaped.

       

      Screen Shot 2015-07-09 at 2.30.49 PM.png

       

      Here's the view source from Google Chrome:

       

      Screen Shot 2015-07-09 at 2.33.50 PM.png

      Here is an image from my ColdFusion 11 server where the quotation marks are NOT being escaped.

       

      Screen Shot 2015-07-09 at 2.30.56 PM.png


      Here's the view source from Google Chrome:

      Screen Shot 2015-07-09 at 2.34.08 PM.png

       

      Does anyone know if this expected behavior or a bug? Do we really have to use EncodeForHTML() on every form field value now?