Extra line feeds in textareas / issue with Microsoft Edge or encodeForHTML (ColdFusion) - McMap

About

Extra line feeds in textareas / issue with Microsoft Edge or encodeForHTML (ColdFusion)

Asked 30/5, 2019 at 23:48 Answered 30/5, 2019 at 23:48

coldfusion xss microsoft-edge esapi

H

0

6

This is a strange one that only started within the past few months I would say. Textareas in Microsoft Edge only are displaying extra line breaks when using ColdFusion's encodeForHTML(). How to reproduce...

<cfset x = chr(49)&chr(13)&chr(10)&chr(50)&chr(13)&chr(10)&chr(51)>
<cfoutput>
<textarea rows="10">#encodeForHTML(x)#</textarea>
</cfoutput>

In Edge it displays like this...

But in all other browsers (and even in Edge up until recently) it looks like this...

Here's another strange behavior, if you inspect that element, double-click on the value as if you are going to edit it, don't change anything, just hit enter, then the extra line feeds disappear. Here is a vid demonstrating it...

So I then decided to output the ascii of everything AFTER it went through encodeForHTML() and this is the result...

49| = 1
38|35|120|100|59|38|35|120|97|59| = &#xd;&#xa;
50| = 2
38|35|120|100|59|38|35|120|97|59| = &#xd;&#xa;
51| = 3

Which is what I expected. Years ago I talked to one of the founders of the esapi project which is what encodeForHTML() uses and he said it switches out page breaks to prevent log spoofing. So since this just recently started happening in Edge would you say this is an issue with Edge and it cannot handle 
 properly within a textarea? Or is there some other way to fix this that would still be safe from XSS? Thanks!

I also tried looking through Microsoft Edge's release notes but could not find anything related to this issue.

Harijan answered 30/5, 2019 at 23:48 Comment(6)

Can you please inform us which version of MS Edge you are using for testing this issue? As we are not available with coldfusion, I made a test on latest version of MS Edge and I find that text area is working fine with it. Let us know, If there is any alternative way to produce the issue without using coldfusion. We will again try to test it. just for testing purpose, I suggest you to make a test with new Edge Chromium to see the results with it. Ref: microsoftedgeinsider.com/en-us/download – Fornix 31/5, 2019 at 1:16

@Fornix - (I don't have access to MS Edge at the moment, and can't test it, but..) You might try this test page on trycf.com: trycf.com/gist/29c0fa7941211d5e59e6ccf9d899ef4e/… – Telecommunication 31/5, 2019 at 1:48

I try to open the link with MS Edge and find that the issue is producible with Edge. the code looks correct in developer tools. Looks like some issue with the Edge. I will try to provide feedback regarding this issue to Edge developers. thanks for your understanding. – Fornix 31/5, 2019 at 5:22

@Fornix I'm using this version: Microsoft Edge 44.17763.1.0 /// Microsoft EdgeHTML 18.17763 – Harijan 31/5, 2019 at 15:27

I opened this issue: developer.microsoft.com/en-us/microsoft-edge/platform/issues/… – Harijan 31/5, 2019 at 15:54

I cannot reproduce the issue on Edge/17.17134. Besides, Microsoft announced development stop of the EdgeHTML engine in favor of Blink. So it's probably not something report worthy anymore. – Lager 31/5, 2019 at 18:55

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.