The code of my (ongoing) ColdFusion project was recently reviewed for security issued. I found one report to be very strange.

It’s about Stored Cross-Site Scripting (XSS) with a high CVSS Score of 9.1 refering to CWE ID: 79

The description reads

Context Description: In application code, untrusted user data is displayed in the user’s browser without input validation and with deprecated output encoding method which can result in a Cross-Site Scripting attack.

Note: 

• Adobe recommends that you use the EncodeForHTML function, not the HTMLEditFormat function, to escape special characters in a string for use in HTML in all new applications.
• Entire codebase is using “HTMLEditFormat” method.

I am firstly wondering if anyone of you has ever received a review that specific. I got reviews in the past that mentioned a lack of security features (like output escaping) but never played  EncodeForHTML out against HTMLEditFormat.

When they recognize the application is secured – why, still, the high score?

On Stackoverflow someone once said: HTMLEditFormat() couldn’t tell that the ampersand was already encoded, so it re-encoded it again

The documentation says: canonicalizeOptional. If set to true, canonicalization happens before encoding. If set to false, the given input string will just be encoded. The default value for canonicalize is false

This looks to me like there is no improvement by simply replacing every call to HTMLEditFormat with EncodeForHTML but I would also have to pass true as second parameter to benefit.

There is a blog post from only two years ago that deals with the improvements CF 10 braught: https://www.isummation.com/blog/day-2-avoid-cross-site-scripting-xss-using-coldfusion-10-part-1/ It looks to me, like the improvement is not the new function EncodeForHTML as it is. The improvement lies in the set of new functions like encodeForHTMLAttribute, encodeForJavaScript and so forth.

Phrased as question: Is there any benefit from calling EncodeForHTML rather than HTMLEditFormat?