Escaping CF and HTML Tags from DB


We're using a form to allow users to enter some info as part of a cms.  The problem that I am having is when I output what's in the DB on the page, it doesn't escape show the variables that are stored in the database.  For instance, We have this in the DB
<p class="copyright-bar">© #DateFormat(Now(), "yyyy")# Keyword Connects | <a href="/loc/privacy-policy.cfm?#CGI.QUERY_STRING#">Privacy Policy</a></p>

But when I output it on the page with <cfoutput> tags, I get this..
"© #DateFormat(Now(), "yyyy")# Keyword Connects | Privacy Policy"

can someone tell me how I can go about getting the actual CF vars to display rather than #DateFormat(Now(), "yyyy")#

Any help would be appreciated

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CF won't evaluate the contents of a variable as code unless you use evaluate(). This is one of the few cases it is actually needed.

      <cfoutput> #evaluate( queryName.columnName)# </cfoutput>

Just keep in mind evaluate() is not security conscious.  It'll do exactly what you tell it, so a savy user could inject malicious code into the field and evaluate() would happily execute it.  To avoid that kind of thing, a lot of systems use placeholders instead. Then do a replace() on the contents when outputting the value,ie

         <cfset contents = replace(queryName.columnName, "{{Current_Year}}", DateFormat(Now(), "yyyy"))>
         <cfoutput> #contents# </cfoutput>
nmaranoAuthor Commented:
agx- Thanks, let me take a look
nmaranoAuthor Commented:
So, it throws an error when I use evaluate because it is looking at the '<' that starts what's being stored in the database.

<p class="copyright-bar">© #DateFormat(Now(), "yyyy")# Keyword Connects | <a href="/loc/privacy-policy.cfm?#CGI.QUERY_STRING#">Privacy Policy</a></p> <p class="copyright-bar">© #DateFormat(Now(), "yyyy")# Keyword Connects | <a href="/loc/privacy-policy.cfm?#CGI.QUERY_STRING#">Privacy Policy</a></p>

So it's picking up the <p class and getting this error message....

"Invalid CFML construct found on line 1 at column 1.
ColdFusion was looking at the following text:

The CFML compiler was processing:

< marks the beginning of a ColdFusion tag.Did you mean LT or LTE?"
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Hm. I rarely ever use evaluate(), so I'm not sure how it'll interact with html mixed with cfml.  Let me run a few tests.

I know another option is to write the content to a .cfm file. Then the mixed content will be executed just like any other .cfm page, but .. I was hoping to avoid that...
nmaranoAuthor Commented:
the content is set on index.cfm
Unfortunately, I think you'll have to write it to a .cfm file. Evaluate() doesn't  let you mix cfml/html.  I don't see a way around it.  Not unless you use placeholders and replace() instead of allowing them to embed CF code.


By "write it to a .cfm file", I mean either save the new content to a .cfm file only when it's changed


Use a technique I read about in a forum, ie use a temp file:

1) Read the content from the db into a query
2) Write the query value to a temp .cfm file in ram://
3) CFINCLUDE the temp file
4) Delete the temp file when finished.

I haven't done that myself. My preference is placeholders, but in theory temp files should work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nmaranoAuthor Commented:
Hey agx-

Sorry I never got back to this.  We used your suggestion and modified it a tad.  Rather than using temp files, we created include files which need to be created for each client that we have.  Thanks for the help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.