EncodeForHTML vs. HTMLEditFormat
Is EncodeForHTML as it is more secure than HTMLEditFormat?
The code of my (ongoing) ColdFusion project was recently reviewed for security issued. I found one report to be very strange.
It’s about Stored Cross-Site Scripting (XSS) with a high CVSS Score of 9.1 refering to CWE ID: 79
The description reads
Context Description: In application code, untrusted user data is displayed in the user’s browser without input validation and with deprecated output encoding method which can result in a Cross-Site Scripting attack.
- Adobe recommends that you use the EncodeForHTML function, not the HTMLEditFormat function, to escape special characters in a string for use in HTML in all new applications.
- Entire codebase is using “HTMLEditFormat” method.
I am firstly wondering if anyone of you has ever received a review that specific. I got reviews in the past that mentioned a lack of security features (like output escaping) but never played EncodeForHTML out against HTMLEditFormat.
When they recognize the application is secured – why, still, the high score?
On Stackoverflow someone once said: HTMLEditFormat() couldn’t tell that the ampersand was already encoded, so it re-encoded it again
The documentation says: canonicalizeOptional. If set to true, canonicalization happens before encoding. If set to false, the given input string will just be encoded. The default value for canonicalize is false
This looks to me like there is no improvement by simply replacing every call to HTMLEditFormat with EncodeForHTML but I would also have to pass true as second parameter to benefit.
Phrased as question: Is there any benefit from calling EncodeForHTML rather than HTMLEditFormat?