1 Reply Latest reply on Nov 16, 2016 9:30 AM by WolfShade

    Canonicalize(str,bool,bool) not working as expected

    WolfShade Level 4

      Hello, all,

       

      I'm using canonicalize() as part of a URL and FORM scope sanitizing process, and it's not doing what the specs say it should do.

       

      For example, in scrubbing a URL parameter, the following _should_ throw an error:

      www.domain.com/page.cfm?var=home%27alert(%22abc%22)%27

       

      This should trigger an error, and cause my onError() handler in application.cfc to run.  But it isn't working.

       

      url.var = canonicalize(url.var,true,true);
      

       

      What is going on???  Why isn't this throwing an error?

       

      V/r,

       

      ^_^