Solved

adding quote symbol " in input field

Posted on 2014-04-22
5
491 Views
Last Modified: 2014-04-22
ColdFusion 9
MS SQL Server 2012

Good morning. I've run into a strange problem and could use some advice.

When I enter text with quotes into an input field, the text is truncated beginning with the quotes.

For example, I enter:
Comp wins the "Oscar" of Government Service

When I submit the form, the result in the input field is:

Comp wins the

(including the trailing space after 'the')

I wonder if this relates to the XSS protection that is set up on lines 25 - 28.

Is there a way I can keep the XSS protection and still be able to save quotes in input fields?

My edit page is below. Thank you for your help.

Eric


editNews.cfm:

<!-----
Name:        editNews.cfm
Author:      Eric Bourland / gdemaria / _agx_
Description: this interface allows a user to create and edit database records that contain news items
Created:     March 2011
Edited: April 2014
ColdFusion Version 9
MS SQL Server 2012
----->


 <!--- Set default value for newsID in scope URL --->
<cfparam name="url.newsID" default="">

<!--- Define newsID in scope FORM, then set form.newsID equal to the newsID passed in the URL: for use later in the application --->
<cfparam name="form.newsID" default="#url.newsID#">

<cfparam name="form.newsTitle" default="">
<cfparam name="form.newsContent" default="">
<cfparam name="form.newsAuthor" default="">
<cfparam name="newsDateCreated" default="">
<cfparam name="form.NewsDate" default="">
<cfparam name="form.newsExcerpt" default="">

<!--- in user-editable fields, set up protection against XSS  --->
    <cfloop collection="#FORM#" item="field">
      <cfset FORM[ field ] = ReReplaceNoCase (FORM[ field ], "<script.*?>.*?</script>", "", "all")>
    </cfloop>

<cfquery datasource="#application.datasource#" name="editNews">
SELECT newsID, newsTitle, NewsDate, newsAuthor, newsContent, newsExcerpt, newsDateCreated
FROM #REQUEST.NewsTable#
WHERE newsID = <cfqueryparam value="#val(url.newsID)#" cfsqltype="cf_sql_integer">
</cfquery>

		   
<!---- begin CFTRY; catch errors ---->
<cftry>  
 
<!---- populate cftry with error message ---->
<cfset variables.error = ""> 
 
<!--- begin form.doSave --->

<cfif IsDefined("form.doSave")>

<!--- when an newsID Exists, the action is UPDATE --->
   
<cfif val(form.newsID)>
                
            <cfquery name="UpdateRecord" datasource="#application.datasource#">
				  UPDATE #REQUEST.NewsTable#
				  SET
           newsTitle = <cfqueryparam cfsqltype="cf_sql_varchar" value="#Trim(Left(form.newsTitle,255))#">, 
           NewsDate = <cfqueryparam cfsqltype="cf_sql_date" value="#createODBCdate(Trim(form.NewsDate))#">,
           newsAuthor = <cfqueryparam cfsqltype="cf_sql_varchar" value="#Trim(Left(form.newsAuthor,128))#">,
           newsContent = <cfqueryparam cfsqltype="cf_sql_varchar" value="#Trim(form.newsContent)#">,
           newsExcerpt = <cfqueryparam cfsqltype="cf_sql_varchar" value="#Trim(form.newsExcerpt)#">
           		  WHERE newsID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.newsID)#">
			</cfquery>


<!--- CFELSE: if newsID does not exist, then create new record --->
				<cfelse> 
                
                
<!--- query to insert new user record into #REQUEST.NewsTable# --->
			<cfquery name="InsertRecord" datasource="#application.datasource#" result="newPage">
				 INSERT INTO #REQUEST.NewsTable#
     					(
                        newsTitle,
			            NewsDate,
                        newsAuthor,
                        newsContent,
                        newsExcerpt,
                        newsDateCreated
                        )
			     VALUES(
                    <cfqueryparam cfsqltype="cf_sql_varchar" value="#Trim(Left(form.newsTitle,255))#">,
                    <cfqueryparam cfsqltype="cf_sql_date" value="#createODBCdate(Trim(form.NewsDate))#">,
                    <cfqueryparam cfsqltype="cf_sql_varchar" value="#Trim(Left(form.newsAuthor,128))#">,
                    <cfqueryparam cfsqltype="cf_sql_varchar" value="#Trim(form.newsContent)#">,
                    <cfqueryparam cfsqltype="cf_sql_varchar" value="#Trim(form.newsExcerpt)#">,
                    <cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">
                         )         
					</cfquery>
                    
                    
<!--- use the result attribute value (newPage) to set form field value --->
      <cfset form.newsID = newPage.IDENTITYCOL>
              
<!--- END queries to update or insert database records ---> 

<!--- END cfif val(form.newsID) -- if a topic needed to be updated or added, then it was done --->
					    </cfif>  


<!--- done? relocate --->

<cfif val(url.NewsID)>
<cflocation url="/admin/editNews.cfm?NewsID=#val(url.NewsID)#" addtoken="yes">

<cfelse>                     
<cflocation url="/admin/manageNews.cfm" addtoken="no">
				     
</cfif>
             
<!--- END: Save action --->

<!--- END form.doSave --->
                    </cfif>
       
<!--- END queries to update or insert database records ---> 
        

<!--- this CFCATCH will trap errors --->
            <cfcatch type="Any">
                 <cfset variables.error = cfcatch.message>
            </cfcatch>

<!--- END CFTRY --->  
			</cftry>
       
       
<!--- fetch the data from the database only when there are no errors; let the form variables pass back from the data table into the form to display ---->
 
<cfif len(variables.error) eq 0>
    
<!--- get data from table #REQUEST.NewsTable# and convert the data into form variables --->
			  <cfquery name="getPageDetails" datasource="#application.datasource#">
			    SELECT newsID, newsTitle, NewsDate, newsAuthor, newsContent, newsExcerpt, newsDateCreated
                FROM #REQUEST.NewsTable#
                WHERE newsID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.newsID)#">
 			  </cfquery>

  			<cfloop index="aCol" list="#getPageDetails.columnList#">
			       <cfset "form.#aCol#" = getPageDetails[aCol][getPageDetails.currentRow]>
			  </cfloop>
    
</cfif>



<!----- if record already exists then update record; otherwise, add new record ----->
				<cfif val(url.newsID)>
					  <cfset FormTitle="Update News">
					  <cfset ButtonText="Update">
				<cfelse>
						<cfset FormTitle="Create News Record">
						<cfset ButtonText="Create News Record">

				</cfif>

       
       
       <!--- BEGIN HTML / CSS PAGE HEADER --->
<cfinclude template="/admin/admin_header.cfm">

<cfinclude template="/admin/adminNav.cfm">

<cfinclude template="/admin/TinyMCE.cfm">

<!--- if there an error, display error in readable form --->

<cfif len(variables.error)> 
	  <cfoutput>
	    <div class="errorbox">#variables.error#</div>
	    </cfoutput>

             <div class="center">
               <input type=button value="Go Back" onClick="history.go(-1)">
             </div>
             
             <cfabort>
</cfif>

<cfparam name="url.cftoken" default="">

<cfif len(url.cftoken)> 

<div class="center"><button class="medium green"><span class="white"><i class="icon-check"></i></span> Update succeeded. Good work.</button></div>

</cfif>

	<!--- Form begins here --->
	<form method="post" enctype="multipart/form-data" name="ebwebworkForm" class="ebwebworkForm">
                
 
 <!--- Embed newsID (PK) to assign a value to it --->
 <cfoutput>
<input type="hidden" name="newsID" value="#form.newsID#" />
 </cfoutput>

    <ul>
        <li>
<cfoutput>
<legend><h2>#FormTitle#</h2></legend>
</cfoutput>

     <img src="https://lh6.googleusercontent.com/-rXrwzErpu7Q/U06TdnsBKfI/AAAAAAAAAoA/5QepC-sHWpc/s800/red_asterisk.png" alt="Required Field" width="16" height="16" /> Required
      </li>

<li>
  <label for="newsTitle"><h3>News Title:</h3></label>
  	 <cfoutput><input type="text" name="newsTitle" placeholder="Enter News Title" value="#Trim(Left(form.newsTitle,255))#" maxlength="255" tabindex="1" size="70" autofocus="true" required="yes" /></cfoutput>
        <span class="form_hint">Enter News Title; 255 characters max.</span>         
</li>
        
        
 <li>
    
<label for="NewsDate"><h3>News Date:</h3></label>
<cfoutput><input type="text" name="NewsDate" placeholder="Enter Date in mm/dd/yyyy format" value="#DateFormat(NewsDate, "mm/dd/yyyy")#" tabindex="2" pattern="(0[1-9]|1[0-9]|2[0-9]|3[01]).(0[1-9]|1[012]).[0-9]{4}" size="70" required="yes" /></cfoutput>
<span class="form_hint">Enter Date in mm/dd/yyyy format</span>
        
</li>
        
        

<li>

<label for="newsAuthor"><h3>Author:</h3></label>
<cfoutput><input type="text" name="newsAuthor" placeholder="Enter Author Name" value="#Trim(Left(form.newsAuthor,128))#" maxlength="128" tabindex="3" size="70" required="yes" /></cfoutput>
<span class="form_hint">Enter Author Name; 128 characters max.</span>
        
</li>


<a name="tinymce"></a>
            <p class="center">Use TinyMCE to edit content:</p>

<li>
<label for="newsContent"><h3>News Description:</h3></label>

    <span class="smallred">Use TinyMCE to enter and format content here. If you get confused, please consult the <a href="javascript:popUp('http://manage.ebwebwork.com/control/cms.cfm')">documentation</a>.</span>
     
      <textarea name="newsContent"
      		wrap="virtual"  
      		tabindex="4"
      		width="600"
	  		height="300"
      		style="width:600px;height:300px;"
      		required>

           <cfoutput>#form.newsContent#</cfoutput>
   
	  </textarea>
</li>

     
     <li>
     <label for="newsExcerpt"><h3>News Excerpt:</h3></label>
     <p class="smallred width600px">Display an excerpt to encourage readers. Just text, no images. There is no need to format this excerpt text. Your web site style sheet automatically applies formatting per the established style of your web site template.</p>
      <textarea name="newsExcerpt"
            wrap="virtual"  
            tabindex="5"
            width="600"
			height="100"
            style="width:600px;height:100px;"
            required="yes">

           <cfoutput>#form.newsExcerpt#</cfoutput>
   
	  </textarea>
</li>
    
    
    <li>
<div class="submitButton">
   <cfoutput>  
   <button name="doSave" type="submit" class="green" tabindex="6">#ButtonText#</button>
   </cfoutput>
</div>  
</li>
    
    
    </ul>



</form>


<!--- Page footer --->
<cfinclude template="/admin/admin_footer.cfm">

Open in new window

0
Comment
Question by:Eric Bourland
  • 3
5 Comments
 
LVL 15

Expert Comment

by:myselfrandhawa
ID: 40014664
after you XSS code, did you tried using the cfdump to actually see what contents you are getting

<cfloop collection="#FORM#" item="field">
      <cfset FORM[ field ] = ReReplaceNoCase (FORM[ field ], "<script.*?>.*?</script>", "", "all")>
    </cfloop>

Open in new window


<cfdump var="#form#">

also you  are using cfquerypaam, which handles all this cases, if you still wanna make sure, the string should not break

try using the functions:

http://www.cflib.org/udf/cfStringFormat
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 500 total points
ID: 40014685
@Eric - That's normal. If you do a view source, the full text is there. However, the browser interprets the double quote to mean "end of value", and visually truncates the rest.  

    <input value="Comp wins the "Oscar" of Government Service">

To prevent this, wrap the value in HTMLEditFormat(). A good idea anyway, as it helps w/some types of xss attacks.  
 
   <cfoutput>
   <input value="#HTMLEditFormat(FORM.someField)#">
   </cfoutput>
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 40014692
Dear randhawa,

Thanks for your note. When I do <cfdump var="#form#">

I get:

struct
NEWSAUTHOR 	[empty string]
NEWSCONTENT 	[empty string]
NEWSDATE 	[empty string]
NEWSEXCERPT 	[empty string]
NEWSID 	81
NEWSTITLE 	[empty string]

Open in new window



... but I am not sure what to make of that ... it looks like no data are being processed?

Eric
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 40014694
_agx_ I will try that. =)  E
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 40014706
That worked. =) The result:

<cfoutput><input type="text" name="newsTitle" placeholder="Enter News Title" value="#HTMLEditFormat(Trim(Left(form.newsTitle,255)))#" maxlength="255" tabindex="1" size="70" autofocus="true" required="yes" /></cfoutput>

_agx_, thank you as always.

randhawa, thank you also for your help, as always.

I hope you both have a great day.

Eric
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Today, I was working on some optimization and spam-stopping techniques when I encountered Ben Nadel's post to reduce spam feature using Math (http://www.bennadel.com/blog/197-How-I-Stop-Spammers-On-My-ColdFusion-Blog.htm). While this method is not o…
This is an updated version of a post made on my blog over 3 years ago. It is unfortunately, still very relevant as we continue to see both SQLi (SQL injection) and XSS (cross site scripting) attacks hitting some of the most recognizable website and …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now