• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 53
  • Last Modified:

Escaping CF and HTML Tags from DB


We're using a form to allow users to enter some info as part of a cms.  The problem that I am having is when I output what's in the DB on the page, it doesn't escape show the variables that are stored in the database.  For instance, We have this in the DB
<p class="copyright-bar">© #DateFormat(Now(), "yyyy")# Keyword Connects | <a href="/loc/privacy-policy.cfm?#CGI.QUERY_STRING#">Privacy Policy</a></p>

But when I output it on the page with <cfoutput> tags, I get this..
"© #DateFormat(Now(), "yyyy")# Keyword Connects | Privacy Policy"

can someone tell me how I can go about getting the actual CF vars to display rather than #DateFormat(Now(), "yyyy")#

Any help would be appreciated

  • 4
  • 3
1 Solution
CF won't evaluate the contents of a variable as code unless you use evaluate(). This is one of the few cases it is actually needed.

      <cfoutput> #evaluate( queryName.columnName)# </cfoutput>

Just keep in mind evaluate() is not security conscious.  It'll do exactly what you tell it, so a savy user could inject malicious code into the field and evaluate() would happily execute it.  To avoid that kind of thing, a lot of systems use placeholders instead. Then do a replace() on the contents when outputting the value,ie

         <cfset contents = replace(queryName.columnName, "{{Current_Year}}", DateFormat(Now(), "yyyy"))>
         <cfoutput> #contents# </cfoutput>
nmaranoAuthor Commented:
agx- Thanks, let me take a look
nmaranoAuthor Commented:
So, it throws an error when I use evaluate because it is looking at the '<' that starts what's being stored in the database.

<p class="copyright-bar">© #DateFormat(Now(), "yyyy")# Keyword Connects | <a href="/loc/privacy-policy.cfm?#CGI.QUERY_STRING#">Privacy Policy</a></p> <p class="copyright-bar">© #DateFormat(Now(), "yyyy")# Keyword Connects | <a href="/loc/privacy-policy.cfm?#CGI.QUERY_STRING#">Privacy Policy</a></p>

So it's picking up the <p class and getting this error message....

"Invalid CFML construct found on line 1 at column 1.
ColdFusion was looking at the following text:

The CFML compiler was processing:

< marks the beginning of a ColdFusion tag.Did you mean LT or LTE?"
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Hm. I rarely ever use evaluate(), so I'm not sure how it'll interact with html mixed with cfml.  Let me run a few tests.

I know another option is to write the content to a .cfm file. Then the mixed content will be executed just like any other .cfm page, but .. I was hoping to avoid that...
nmaranoAuthor Commented:
the content is set on index.cfm
Unfortunately, I think you'll have to write it to a .cfm file. Evaluate() doesn't  let you mix cfml/html.  I don't see a way around it.  Not unless you use placeholders and replace() instead of allowing them to embed CF code.


By "write it to a .cfm file", I mean either save the new content to a .cfm file only when it's changed


Use a technique I read about in a forum, ie use a temp file:

1) Read the content from the db into a query
2) Write the query value to a temp .cfm file in ram://
3) CFINCLUDE the temp file
4) Delete the temp file when finished.

I haven't done that myself. My preference is placeholders, but in theory temp files should work.
nmaranoAuthor Commented:
Hey agx-

Sorry I never got back to this.  We used your suggestion and modified it a tad.  Rather than using temp files, we created include files which need to be created for each client that we have.  Thanks for the help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now