How do I encode/decode between Javascript and ColdFusion?

Question

I have a ColdFusion form and set a field value by copying it from another form with the Javascript below. (This is actually from a popup input window where you can paste large texts).

form1.remark.value = form2.remark.value;

After this happens, form1 is submitted for further processing by another process.cfm page.

The problem is the remark.value contains complex text, including XML, but it is encoded when it arrives at the process.cfm page. I'm looking for a way to correctly encode it in the Javascript portion and then decode it at process.cfm using ColdFusion code so that I get back the original text, including XML tags.

How is this best accomplished?

Answer 1

I think you can use StringEscapeUtils class of java like this:

<cfset objEscapeUtil = createObject("java", "org.apache.commons.lang.StringEscapeUtils")>
<cfset unescapedString = objEscapeUtil.unescapeJavaScript(escapedString)>

Answer 2

If you're trying to use the value of the submitted form field as the value of a JavaScript variable on the next page, then you need to use the built-in (as of ColdFusion 10) function encodeForJavaScript.

<cfoutput>var myJSvar = '#encodeForJavaScript(form.myField)#';</cfoutput>

This will properly escape the string value of form.myField, so that it can be used with JavaScript.

If you're on CF 8 or 9, the OWASP JAR file is loaded into CF (if you're patched up correctly), and you can access the same functions directly by instantiating the correct Java class.

<cfset application.xssEncoder = createObject("java", "org.owasp.esapi.esapi").encoder() />

<cfoutput>
var myJSvar = '#application.xssEncoder.encodeForJavaScript(form.myField)#';
</cfoutput>