Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 533
  • Last Modified:

CFINCLUDE equivalent for HTML only

Hi,

Is there CFINCLUDE equivalent tag that would include some html file, but would not process any CFM?

Basically I allow users to save files using my interface.

Then on my page I have the following structure:

.....my code (necessary)......
<cfinclude template="usersfile.html">
.....my code (necessary)......

Everything is fine except that user can potentially put CFM code to his file and get control of the server.

So how do I do that "cfinclude" without processing CFML inside usersfile.html

Thanks
0
alexerm
Asked:
alexerm
  • 6
  • 6
  • 3
  • +2
1 Solution
 
Seth_BienekCommented:
Hi alexerm,

Try using <cffile>:

<cffile action="read" file="usersfile.html" variable="usersfile">
<cfoutput>#usersfile#</cfoutput>

This should render the text of the file without evaluating it as ColdFusion code.

Best Regards,

Seth
0
 
alexermAuthor Commented:
I'm trying to avoid cffile whenever is possible because of it's bad perfomance.

Is there any other ways to do it without cffile?

Thanks
0
 
Seth_BienekCommented:
Hi alexerm,

There are some UDF's on cflib.org that use the Java FileReader object (for MX apps) and the Windows FileSystem COM object (for 5.x apps) to read in a file's content.

<a href="http://www.cflib.org/udf.cfm?ID=417">http://www.cflib.org/udf.cfm?ID=417</a>
(could be streamlined - see Aaron Johnson's CF blog: http://cephas.net/blog/coldfusion/)

<a href="http://www.cflib.org/udf.cfm?ID=755">http://www.cflib.org/udf.cfm?ID=755</a>

You will want to compare their performance against cffile (using gettickcount()) before committing to any given solution though, and I have a feeling it's giong to be pretty close to cffile.

If it were my app (:D), I would do some performance testing using CFFILE before deciding it's too slow.  Remember, CFMX is a whole new animal.

Hope this helps,

Seth
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Tacobell777Commented:
How about saving the file as include.html and use cfinclude, I don't think it will evaluate any CF code, give it a go.
0
 
alexermAuthor Commented:
Reply to Tacobell777:

Unfortunetely, it does evaluate CF code, when using CFinclude, no matter what extension of the included file is

Alex
0
 
danrosenthalCommented:
The only thing I can think of (other than CFFILE) is to store the page in a Database.
0
 
Tacobell777Commented:
I never tried it, weird though.

How about, if you read the file into a variable and the output it like so

#dE(myFileVariable)#
0
 
anandkpCommented:
try this

<img src="my_cfm_or_html_or_any_file_i_need_to_execute.htm' width="1" height="1" border="0">

let me know ...

K'Rgds
Anand
0
 
alexermAuthor Commented:
Hi, Anand

The idea with <img> did not work. I would be surprised if it did work

Thanks

Alex
0
 
Tacobell777Commented:
Did you try my idea?

I don;t know what it is lately but people ignore me, any ideas why?
0
 
alexermAuthor Commented:
Hi, Tacobell

I did not ignore your post.

If I read from file and just output variable, then there is no need to use DE(...).

Basically when I posted this question I was aware of solution that would read from file using cffile or some other custom tag and then just output whatever was read from file. (and there is no need to use DE in this solution)

However, my question was is there standard coldfusion tag that would include file like CFINCLUDE but would not process CFML inside.

Alex
0
 
Seth_BienekCommented:
I stand by my original suggestion. :)
0
 
Tacobell777Commented:
If you read a html file with cffile, then output the result within dE() them I'm pretty sure it won't be evaluated.
dE stands for Delay Evaluation, thus is your problem is that something is evaluated then you'd want to use dE()
0
 
Tacobell777Commented:
or in your html file that you call in the cfinclude you need to put dE() around every variable present, I'm pretty sure that will work to, if it's not dE() that works then dE(dE(variable)) will work.
0
 
alexermAuthor Commented:
Hi, Taco

-------------------------------------------------------
<cffile action="read" ......... variable="myvar">
#myvar#
-----------------------------------------------------

does not require to use DE.

My problem was that CFINCLUDE evaluates CFML.

Alex

0
 
Tacobell777Commented:
you know what, you seem to know it all, sort it out by yourself. ciao
0
 
alexermAuthor Commented:
Tacobell,

You asked me to comment about your idea and I did

I don't understand why you got frustrated
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 6
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now