XSS in Failure()

[NathanStrutz]

It is possible to introduce a XSS type of hack by creating an incorrect action. Example:

/index.cfm?action=<script>alert(123)</script>

It can be mitigated by adding encodeForHTML() functions around variable outputs in the Failure() function.

[seancorfield]

I'd consider it an edge case -- you should have your own error handler that does a better job. However, it's a valid point and now I'm no longer supporting older versions of CFML, a modern encoding function is fine. Per my comment on the PR, can you make that test pass too please, then I'll merge it.

[seancorfield]

@NathanStrutz Your PR still fails the CI tests...

[NathanStrutz]

Yeah I'm lazy and busy. It's a bad combination. I'll get to it... soon.

[seancorfield]

Since yesterday, the CI tests are easier to run locally since it's all CommandBox/TestBox now, and all self-contained. No Ant, no MXUnit.

I'm only pestering you because I'm actively working on 4.1 this week :)

[NathanStrutz]

Oh that's great. Thanks. Maybe I should have put in a bug for that - I remember now that I couldn't get mxunit to run in Lucee, which was why I hadn't just churned it out. I'll give it another shot this weekend. Thank you!