Thursday, June 12, 2008

Overlooked Techniques

We're all creatures of habit, and forming good ones is key to a long and productive career. I want to post at least a few of my favorite techniques that I believe are 'highly' overlooked in almost every application I look at/code I review.

1.) ColdFusion HTMLEDITFORMAT on HTML form field values

First off, let me give an example of what can happen if you don't use HTMLEDITFORMAT on your data that is either redisplayed from the user, or directly from a database.

Example:
<input type="text" value=""/>I am now Writing directly to this page and can do whatever I want, including relocate a person to another website using javascript etc. "/>


Trusting user input is not only unsafe but can lead to strange formatting issues when someone has quotation marks in their text (and you are using quotation marks in your html input attributes)
Rule of thumb - always use it to Wrap all cfusion dynamic data in html inputs
i.e.
<input type="text" value="#htmleditformat(variables.dbData)#"/>


2.) ColdFusion 'output=false' on cfcomponent tag and all cffunction tags within a component

Trying to debug this issue can be a nightmare, so just always set
output=false
Your cfcomponent and cffunction tags both have the 'output' attribute and should be set to 'false' if you're not returning data to the page (which you should limit the display from cfc method anyway)
.
If you're like us and use Eclipse/cfeclipse, then have this in your snippet for the creation of functions, and you will never have to try and hunt down a single space issue in your application again.

3.) JavaScript escape() function for url data

When you append data to the url in a javascript string, the characters you are appending need to be url safe. The escape() function does exactly this.
Example:

document.location.href="index.cfm?page=x.y&firstname=" + escape(x)


Special characters and spaces etc will need special treatment and not unlike the urlencodedformat() in coldfusion, javascript data needs to be treated with the same respect through the url.


No comments: