0

In an earlier question encodeForHtml() vs htmlEditFormat(), how are they different, it seems like the new encodeForHtml() & encodeForURL() functions are superior to htmlEditFormat() & urlFormat() respectively.

Should the esapi-based encodeForXXX functions be used in favor of the existing ones? Should the 2 older functions be deprecated?

Thank you.

Community
  • 1
  • 1
Henry
  • 31,972
  • 19
  • 112
  • 214
  • Adobe Security team have published an article on [security enhancements with ColdFusion 10](http://blogs.adobe.com/asset/2012/05/coldfusion-10-provides-powerful-new-security-tools.html), worth a visit. – Chandan Kumar May 16 '12 at 20:01
  • @ChandanKumar it doesn't quite address this question, but thanks for the update. Do you think Adobe will take an official stand on this issue? – Henry May 16 '12 at 21:59

3 Answers3

3

I have no idea if the two older functions would be deprecated. But I would say that using the new functions would be a good idea, unless you need to support backward compatibility.

Jason Dean
  • 9,395
  • 25
  • 35
3

The new functions cover all the territory the old functions did, plus they are more "aware" of more recent potential risks in incompletely escaped mark-up. I see no reason to use the old functions given the existence of the new functions.

As for deprecation, I'm all for it. If encodeForHtml() - for example - is better / more secure that htmlEditFormat(), then it is at best poor form to not flag the latter as obsolete and that the new function should be used instead. At worst it's negligent not to do so.

I would urge Adobe to mark htmlEditFormat() etc as deprecated in the docs, and advise why. I would not suggest they take it any further than deprecation at this point though.

Adam Cameron
  • 28,963
  • 4
  • 33
  • 74
  • 1
    Since the [bugbase](https://bugbase.adobe.com/) has a "documentation" option (in "Area"), perhaps you could direct your urges at Adobe rather than people on SO? :) – Peter Boughton May 16 '12 at 11:37
  • 1
    _(and provide the link to make it easier for others to vote on)_ – Peter Boughton May 16 '12 at 11:37
  • Your patronising tone never lets you down, @Peter. Sorry I missed your comment until just now, but you're dead right in intent if not delivery style. Here's the link: https://bugbase.adobe.com/index.cfm?event=bug&id=3329177. Cheers. – Adam Cameron Sep 11 '12 at 23:31
  • What tone? The emote should have indicated no patronising/whatever was intended. – Peter Boughton Sep 12 '12 at 01:13
0

New in ColdFusion 11

Deprecated

The HTMLEditFormat() function has [been] deprecated.

Henry
  • 31,972
  • 19
  • 112
  • 214
  • 2
    Perhaps this changed before it went final. I don't see it listed as deprecated. – philcruz May 19 '14 at 22:12
  • 1
    huh, they have removed it somehow. – Henry May 21 '14 at 22:03
  • 1
    @philcruz Wiki page history shows it was removed. I'm chasing after the editor here: https://wikidocs.adobe.com/wiki/display/~frankjen/Home?focusedCommentId=142214089#comment-142214089 – Henry May 30 '14 at 16:54