[Looking for Charlie's main web site?]

Charlie Arehart's Ultimate List of 200+ New ColdFusion 10 Features

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Wondering what all is new in CF10? Have I got a list for you! :-) (revision 1.9, 217 items1

I've not yet seen anyone try to create an ultimate list of *all* the new features in CF10, so here's my shot at it. (This is based on the public beta. I will update it soon with info from the final release.) Of course many (including Adobe) have created lists that show perhaps a couple dozen of what they think may be the most prominent features, or the most interesting for them, etc. I've just not yet seen anyone list even simply all the features mentioned in the beta new features guide. That's what I'm doing here.

But to be clear, I am not listing every new tag and function (that would be tedious.) Instead, I'm listing them as concepts, and where warranted, any relevant subtopics that expand on the new feature.

I've got more to say about the list (how I created it basically from the 244-page CF10 new feature docs, and what you can do to help expand it). But some will want me to cut to the chase, so here's the list. Please check out the additional discussion after it.

Charlie's Ultimate List of new CF10 Features, revision 1.9 (Sep 12 2012), listing 217 items1

(If you want an easy URL to share for this, use tinyurl.com/ultimatecf10list.)

  • Replacement of JRun with Tomcat
    • Many are reporting better performance from this change
    • Includes support for instances and clusters, as previously (since final, this is clarified as still being Enterprise-only)
    • Support for IIS, Apache, and built-in web server, as previously
    • Support for SSL and virtual directories
    • Support for CFStat, even in multiple instances (and how to change the connector port for that)
    • Support for SES (Search engine safe) URLs and log rotation, as previously
    • Support for persistent sessions over restarts (more on that in a later blog post)
    • Support for configuring Apache virtual host for each ColdFusion instance
    • new sessionStartTime function (this seems listed in the wrong place in the doc) (as of final release, not mentioned in docs nor appearing in results of CF's getfunctionlist function. See instead new sessiongetmetadata function, which returns same session start time (for current session).)
    • New Admin API method to obtain instance name (getinstancename in runtime.cfc), versus old jrun method getServerName in the jrunx.kernel.JRun class

  • Security enhancements
    • Handling XSS attacks
      • Only the following characters are allowed as values for the attribute name in the tag cfform: alphanumeric characters, _ (underscore), - (hyphen), : (colon), and . (dot). It prevents stored XSS for the scriptsrc field
      • The following new encoding methods are added to reduce XSS attack vulnerability: encodeForHTML, encodeForHTMLAttribute, encodeForJavaScript, encodeForCSS, and encodeForURL. Encode the user inputs depending on the contexts. To decode the input string, added a method: canonicalize

    • Handling CSRF attacks
      • CSRFGenerateToken: Returns a random token and stores it in the session
      • CSRFVerifyToken: Validates the given token and the key against the same stored in the session

    • Session improvements
      • CF Session cookies (CFID, CFTOKEN, CFAuthorization_app-name). The new features to manage session cookies are:
        • The following properties of ColdFusion session cookies can be configured at server level or application level:
          • httponly: true by default
          • secure: false by default
          • domain
          • timeout: 30 years by default
      • New methods added for session management: SessionInvalidate, SessionRotate

    • Handling CRLF attacks
      • Protection is added against CRLF attacks for the tags which create a header, for example, cfheader, cfcontent, cfmail, cfmailpart, and cfmailparam

    • Information disclosure (Passwords for all services are encrypted in this version)

    • New HMAC function (Hash-based Message Authentication Code)

    • cfcookie support in CFScript

    • Miscellaneous Changes
      • The httponly cookies support is available on Tomcat supporting J2EE 1.6
      • A new parameter, numIteration, is added to the hash() method
      • Strengthened cflogin and authorization cookies
      • If the action attribute is not specified in the cfform tag, it does not generate the action using the current URL. If there are issues, add the following entry in the ColdFusion-install-dir\cfusion\bin\jvm.config file: -Dcoldfusion.generateformaction=true (This was changed by the final release, so no longer a "feature", as it negatively impacted some applications. See comment below by Aaron Neff.)

  • ColdFusion WebSocket
    • Broadcast
    • Point to point

  • Language enhancements
    • Support for for-in construct (for query)
    • Provide cffile content in the tag body
    • Callstack for ColdFusion functions (new function CallStackDump)
    • Getting application metadata (new function getApplicationMetadata)
    • Getting disk space details (new getTotalSpace, getFreeSpace functions)
    • Application-specific In-memory file system
    • Securing your uploads by default (by verifying the MIME type),
      • (Note that some of the features below are useful beyond just securing file uploads)
      • New Application.cfc event method, onAbort
      • New action copy for cfdirectory
      • New function directoryCopy
      • Modifications to the tag cffile
      • New function FileGetMimeType
    • New function ArraySlice
    • New parameter merge supports arrayAppend
    • Implicit constructor for CFC
    • Method chaining for CFC methods
    • CFC Implicit notation
    • New parameter format added to LSParseDateTime function
    • New attribute runOnce added to cfinclude
    • New attribute timeout in cfstoredproc
    • New attribute maxLength in cfparam
    • New functions dateTimeFormat and lsDateTimeFormat
    • New function reEscape
    • The function replaceList takes delimiters
    • Modifications to the functions arraySort, listSort, and structSort
    • Implicit struct now supports use of : (colon) separator
    • The attribute output is ignored in the interface signature
    • FUNCTION is now a ColdFusion datatype
    • Dynamic references supported in query looping
    • New function invoke
    • New attribute secure in cfpop
    • New attribute group in cfloop
    • For-in constructs now support Java arrays
    • Enhancements to queryAddRow and queryNew functions
    • New function listRemoveDuplicates
    • Support for XPath 2.0 and XSLT 2.0 syntax
    • (Note that there are some other new tags and functions, mentioned in other sections of this document.)

  • Closures
    • Also adds several new functions, some useful with on their own as well as with closures: ArrayEach, ArrayFilter, ArrayFind, ArrayFindAll, ListFilter, isClosure, StructEach, StructFilter

  • Enhanced Java integration
    • Integrating Java libraries (dynamic class loading)
    • CFC Proxy (cfcproxy)
    • createDynamicProxy function

  • ColdFusion ORM search (full text search)
    • Settable at application, component, and property level
    • Supports both Auto-indexing (on persistence) or Offline indexing (on-demand using ORMIndex)

  • Solr enhancements2
    • Use Data Import Handler for database indexing
    • Index and search based on dynamic custom fields
    • Reload individual collections
    • Add languages for search
    • Secure your search system using ColdFusion Administrator
    • Autocommit indexed documents
    • Boost specific fields or entire document for improved search results

  • Scheduler enhancements
    • Grouping
    • Application-specific tasks
    • Event Handling
    • Chaining
    • Cluster
    • Cron commands
    • Prioritize tasks
    • Exclude dates
    • In case of error
    • If task misfires
    • Pause and resume/Pause all and resume all (in cfschedule)
    • List tasks
    • Retry
    • Repeat
    • Customize quartz

  • New system functions
    • getSystemFreeMemory
    • getSystemTotalMemory
    • getCPUUsage

  • Connect to Microsoft Exchange Server 2010
    • Folder operations such as create, modify, or delete
    • Get rooms and roomlist in the exchange organization
    • Information on user availability, that helps effective scheduling
    • Conversation operations such as find conversation details, copy, move, and the status if the conversation is read

  • Lazy loading across client and server (for applications that use ColdFusion ORM in the back end and Flex as the front end)

  • Web service enhancements
    • Adds WSDL 2.0 specification support to current WSDL 1.1
    • Axis 2 support in ColdFusion lets you consume web services that publish WSDL in the following styles:
      • Adds "Document Literal Wrapped", to current RPC and Document Literal support
    • Adds SOAP 1.2 protocol support to current SOAP 1.1

  • RESTful Web Services in ColdFusion

    • Follows HTTP request-response model
    • Supports all HTTP methods
    • Implicit handling of serialization/deserialization
    • Publish web service as both REST service and WSDL service

  • Media Player enhancements
    • HTML 5 video playback capability
    • Fallback to HTML 5 video playback if Flash player is not installed
    • Browser independent video controls
    • Dynamic streaming of Flash videos
    • Advanced skinning for media player
    • Play list for Flash videos
    • Embedding subtitles in SRT format using HTML track element
    • Extending media player using plug-ins built using Open Source Media Framework (OSMF), for example to:
    • Play videos in the YouTube server
    • Use stage video support by showing advertisements within the videos in linear and non-linear mode
    • Adding title to the video

  • HTML enhancements
    • Displaying geolocation
    • cfinput attribute type now supports all HTML 5 input types, for example, email, range, or date; as well as new attributes such as max and min.

  • Client-side charting
    • Popular chart formats with appropriate fallback functionality: Use HTML 5, Flash, SVG, or VML charts

  • Caching enhancements
    • Application-specific caching (optional along with existing server-level)
    • Enhanced query caching using Ehcache (configurable at server or app level, including max size and removal of cache entries by id or region)
    • New and modified cache functions
    • removeCachedQuery
    • Enhancements to existing cache functions
    • Cache statistics
    • CFLOGIN now uses ehcache for an authentication cache

  • Other enhancements
    • Virtual File System: Support for HTTP, FTP, and ZIP
    • CAR, migration, and Code Analyzer (not really "new" in CF10, nor even seemingly updated)
    • Interoperability with Microsoft Office 2010
    • ColdFusion image enhancements
      • An optional attribute interpolation has been added to cfimage action = "resize" for resampling
      • Change of behavior if attribute name used for cfimage action = "captcha" (with respect to destination)
      • The function imageDrawText now returns struct with width, height of text drawn
      • Fallback to system font for cfimage action = "captcha"
      • New function imageCreateCaptcha
      • New function ImageMakeColorTransparent creates an image and sets a transparent color
      • New function ImageMakeTranslucent create a new translucent image with given percentage of translucence
      • New parameters rule and alpha for the function imageOverlay
    • Support for HTML 5 multifile input field in fileUploadAll and Form scope
    • Function expandPath resolves files in custom tag directory
    • Form fields with same name can be accepted as an array, if new this.sameformfieldsasarray = "true" is used
    • Enhancements to Amazon S3 integration regarding file uploads
    • Database enhancements
      • Track client information (enable auditing on database, while performing a database operation, in databases that support such tracking)
        • using new ClientInfo attribute available on query tags to set the info
        • use new type="clientinfo" for CFDBINFO to determine supported ClientInfo properties
        • retrieve tracking info passed using new fetchclientinfo attribute on query tags
        • Can pass client information on datasource definition in ColdFusion administrator
      • Miscellaneous enhancements that include enhancements to connection validation and exception handling (returned with cfcatch type=database)

  • ColdFusion Administrator enhancements
    • Server update (auto hotfix management)
      • List available updates
      • Notification of new updates (on admin front page)
      • Download updates, to apply now or later (via gui or command line)
    • Scheduler (scheduled task interface)
      • Manage Application- and Server- Level Scheduled Tasks
      • Enable Cluster Setup
    • Securing search system (can make Solr an HTTPS secured server)
    • Caching enhancements
      • Use Internal Cache to store queries
      • Clearing query cache
      • Clearing folder-specific template cache
    • Web services
      • specifying default Axis version
      • specifying proxy server details (previously settable only on cfinvoke)
    • RDS can be enabled from ColdFusion Administrator
    • Can disable dumping of application scope of unnamed applications
    • Developer edition is now no longer limited to "the first two IP addresses that reach it" (which required a restart to reset) but instead can have up to any 2 concurrent IP addresses make requests against it at once
    • Accessing the ColdFusion Administrator in Developer mode when 2-IP address access limit is reached
    • Restricting access to ColdFusion Administrator (optionally, to specified IP addresses)
    • Logging Administrator actions (all admin changes now tracked in audit.log file)
    • Available Administrator password reset script
    • You are logged out from one of the ColdFusion administrators, if from the same host, you log in to the ColdFusion (10) Administrator and the ColdFusion Administrator of an older version
    • For a user with RDS access, in the ColdFusion Administrator, you can set the data source and secured file path permissions
    • The default values for the new sandbox are changed to make it more secure
    • Changes to the default settings (for new CF installations, and/or depending on whether "secure profile" is selected on installation)
      • Client variable storage name now defaults to cookie
      • Use UUID for cftoken now defaults to enabled
      • Enable Global Script Protection now defaults to enabled
      • Maximum number of simultaneous Template requests raised from 10 to 25
      • Maximum number of simultaneous CFC function requests (called via URL) raised from 10 to 15
      • Minimum JVM Heap Size (MB) changed from unspecified to 256mb
      • Maximum size of post data (in MB) lowered from 100mb to 20mb
      • Enable ColdFusion Event Gateway Services now disabled by default
    • Session cookie settings (HTTPONLY session cookie, Secure Session cookie, Session cookie timeout options)
    • Server monitor now shows URL for request, in request details 3

    How did I come up with list?

    I obtained this list mostly from the Beta New Features Guide, which is listed from the CF10 wiki.

    Surprisingly, there's no table of contents, which makes it hard therefore to appreciate what all is there. Instead, there is only the bookmarks bar on the left (if you view the doc as a PDF), and that does have an outline structure, but you have to expand each one to see all that's new, which I doubt most would bother to do. So then you would have to browse the whole document and identify the headings, etc. I've filed a bug report (3132948) recommending a Table of Contents be added, if you may want to vote for it.

    To begin, I grabbed all the main sections (and some of the subsections) of that left navbar of the PDF to create this list. I also found often that some sections had features that were not drawn out into separate subsections in that outline of topics. Further, I also tweaked the wording a bit where necessary to make this stand better as a list on its own.

    So my list here really is more than "just a regurgitation of the document outline".

    FWIW, nearly all the same topics are listed also in the CF10 doc "Developing ColdFusion Applications", in the section, "What's new in ColdFusion 10". Just like the new features document and its PDF outline tree, in this other document you do also need to drill into each heading to find more details, and often it does not even list the details in the new features PDF (which at 224 pages is quite substantial).

    Finding code examples and more information

    Again, at 224 pages the new features PDF is quite substantial, and in many cases it does offer code examples for the new features. You can find still more examples, as well as more info, from any of many blog entries that have been written by various people (Adobe folks before the beta, and them and others after its release).

    The best news is that, just as with CF 9, inveterate fellow-list maker Albarsait has started his Adobe ColdFusion 10 Tutorials and Resources page where he tracks nearly all such resources (following almost the same pattern of top-level topics as I do above).

    The list will surely evolve, help me do so

    This is revision 1.8 of the list (as of an update I've done Mar 8 2012). I suspect it will grow and evolve. I know of some items that are being discussed that are not in this list, but I wanted to at least get this out as is in case it may help some readers. I will likely update it in place at least until it changes somehow substantially, so keep coming back to check the version if you're interested in tracking all that's new. :-)

    I've had thought of doing something still more substantial, like a wiki (that many of us together would contribute to, to elaborate on each feature, show examples, point to resources like blog entries, etc.) If you may be interested in contributing to such a concept, let me know in the comments. (Sadly, we can't seem to contribute to the labs wiki. Plus, that will likely be removed once the beta is over.)

    BTW, some of you will know that I created a similar list back in Oct 2011, when I did a talk called, "What's new in Zeus. I had compiled that list from the few public presentations Adobe had given. Silly me, I never got around to offering that list as a blog entry, so many never noticed it. I hope this list may help more people.

    If you have items you think ought to be added, do let me know in the comments, which will serve as your means of being credited (I'd rather not clutter the list with names if I add items, for now).


    [1] Additions (tracking only since Sep 2012):

    • Sep 12 2012: Added discussion of change regarding Developer edition support of any 2 concurrent IP addresses.

    [2] The bullets in this section were taken from the Developing ColdFusion 10 Applications document rather than the Beta New Features PDF.

    [3] These bullets present features which are as yet undocumented.

    For more content like this from Charlie Arehart: Need more help with problems?
    • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
    • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
  • Comments
    Great list. Thanks for making it quick and easy as you always do.
    Thanks for doing this.

    I always look for this with new versions of software and I am amazed how hard it usually is to find a complete list of new features, rather than a mention of a few important ones.
    Thanks for the encouragement, Mike and Steve.

    And I agree with you, Steve, which is why I wondered about the idea of a wiki. And really, for more than just CF10, and indeed more than just CF. May pursue it if others express interest. Could be a lot of work, but as they say, "many hands make it light". We shall see.
    Great one Charlie and thanks for mentioning my ColdFusion 10 list as well. It’s really encouraging and I feel glad for receiving an appreciation for what I did.
    So many new features. I like CF10 server update. With CF10 updates will be cumulative which means that all fixes of previously released hotfix be included in any new hotfix which comes later. This is great, no need to worry about previous method of self managing patch order and manual unzip file replacements.
    # Posted By Carl | 3/12/12 6:24 PM
    Great list, thanks for sharing ;)
    Thanks, now I have something to deep dive with. Much appreciated Charlie!

    Under Caching, you may want to add that CFLOGIN now uses ehcache for an authentication cache.
    Nice one, Rob. Done. Thanks. Hey, if that's all that about caching that's new that I didn't, then coming from you (the master of CF ehcache caching), I wipe my brow and say "phew". :-)

    Thanks, also, to Joao and Wade for the kind regards.
    Great, thanks Charlie.

    It'd be great if the list can indicate which features are limited or N/a on Standard edition.
    # Posted By Henry Ho | 5/15/12 8:27 PM
    Well, Henry, as I note at the top, I had created this back in the public beta. And at that time, the differences in editions was not published, so that's why they are not there.

    But I will note that today I posted another entry with those differences. See http://www.carehart....
    Any thoughts on how to get around the case issue with the new Tomcat server?

    is different then
    using Tomcat.

    I'm sure a lot of site are going to have issues when deploying CF10 with a legacy app that has something like <cflocation url="someurlinlowercase"> when the directories or filenames will be mixed case.
    Christopher, I'm not finding that. Let's be very specific about what you are asking.

    First, are you referring to Windows or Mac/Linux/Unix? I ask because first of all, on non-windows servers hasn't this always been the case? I know, for instance, that on those that application.cfm/cfc has to be spelled Application.cfm/cfc. On Windows, on the other hand, I am finding first that I cannot even create a file of the same name differing only by case. Windows keeps rejecting that attempt, as if I'm overwriting the current file.

    Second, when you say Tomcat, do you mean simply "the Tomcat that underlies CF"? Or do you mean more specifically the Tomcat Web Server, which is what CF now uses if you enable CF's "built-in web server" during installation (or via manually tweaking an xml file after that)?

    Again, when I do testing using that, I find that I get the same file whether I ask for it as upper or lower case (and again, in my case on Windows, there can only be one file of a given name, regardless of its case. That's always what's shown in response.)

    Further, when I use IIS to request the file, I find the same thing. Are you perhaps using Apache? How is your setup different than mine?

    (Really, this is going beyond the intent of this blog entry. I'll ask after we close this one out that other readers wanting to raise concerns over such seeming "differences" ought to raise them instead in the Adobe forums. But then certainly if it's concluded that there is a difference, I'll be happy to see it offered here.)

    Anyway, I do want to close out this problem here since you raised it. Looking forward to your reply.
    Sorry for not being a bit more detailed.

    My situation is as follows. I'm on a windows 7 box at home.
    I downloaded CF10 Dev edition and the built in webserver (Tomcat).
    Under the root I created a test directory a file name, CF10test.cfm

    I went to: http://localhost/tes... and the server barfed.
    I went to: http://localhost/test/CF10test.cfm and voila I have my test output.

    I guess what I'm saying is that in cf9 and prior, on a windows machine, the case didn't matter.

    But going forward with CF10 AND using Tomcat, there could be some case issues.

    Assuming I have a piece of code that:
    <cflocation url="http://myserver.com/...">

    but the actual filename is "launderMoney.cfm"

    Just something Windows users who are using the built in Tomcat server should be aware of.
    Great stuff! Thanks Charlie!
    @christopher, the thing is, I have the exact same setup, and i'm saying i'm NOT seeing that. And I didn't see anyone else complain of it throughout the prerelease, and have not heard it since the final. Of course, I'm not seeing everything people are reporting. :-)

    So let's see what others find and report. Admittedly, since we're talking about the built-in web server that cuts down the number of people who will hit this in the near term (many use only external web servers), and then they would also have to have a case issue to cause any conflict. But we shall see.

    You can certainly file a bug report. I'm just saying I don't think you (or anyone reading this) would want to declare "CF10 has a case problem", at least until someone else can confirm seeing this. Since you and I have about the same setup and we are seeing different results, it just says it's not "always" an issue. But let's see how it shakes out.

    @Peter, thanks for the support.
    Wrong! Case does matter as CF is a multi-platform product. For example "Application.cfm" and "OnRequestEnd.cfm" are still relevant.
    Who are you yelling at, Peter? If me, I DID say that I realize Applicaiton.cfm/cfc is case-sensitive--on non-Windows systems. See my comment at 5/16/12 6:12 PM.

    But what Christopher and I are talking about is an observation he's having of case-sensitivity even on Windows, which I'm not seeing. Are you? What is it you're saying I'm "wrong!" about?
    Not saying anyone is wrong, per se, or shouting. Apologies if that was perceived.

    To maintain backward compatibilty Application.cfm and OnRequestEnd.cfm should be cased accordingly. Not sure if Adobe will change this (I've asked in the past - they said unlikely). Alternative is obvously Apllication.cfc (cased as a poke!).

    Not an issue usually but if your app winds up on another OS that IS stricter well... better safe than sorry.
    Always use lower case for file names where possible, apart from the Application.cfm/OnRequestEnd.cfm. Should be no dramas then.

    Just like HTML or CSS attributes lowercase is the accepted norm. Apply it to your filenames too like act_update_tableusers.cfm as opposed to act_Update_TableUsers.cfm.
    @Peter, you started your comment (that I was replying to) with "Wrong!". If that's neither "shouting' or "saying anyone is wrong", then I honestly don't know what is. :-)

    More than that, you seem stuck on your issue. I would seriously challenge you to look closely at the blog entry, and your comments, and how I've tried to acknowledge your point, yet you keep pressing it for some reason. I understand doing that when one feels they are not being heard.

    But you're not saying anything we don't already acknowledge, so why keep pressing it? Bottom line: Christopher has presented a problem. Let's focus solely on that (with respect to this whole "case" issue).

    Otherwise I would ask that we drop any other discussions with respect to case in CFML. We've gone WAY off topic of the original post. Thanks for trying to help, though.
    Charlie, I'm noticing the same issue with case sensitivity as well. I just installed CF10 developer edition using the internal Tomcat webserver on Windows 7 32-bit. I have a site and now none of my css files are showing up. When I do a view source I see "/fps/pub/AIA/scripts/text.css" as one of my resources, when I try and navigate to that I get "The requested resource (/fps/pub/AIA/scripts/text.css) is not available." However, when I navigate to "/FPS/pub/AIA/scripts/text.css" I all of a sudden see the css file.

    I also found a post on the Adobe forums regarding this.
    # Posted By Chuck S | 5/22/12 3:11 PM
    HI Charlie

    I was glad to learn to know you in Zurich, SOTR12. I was the orange one.

    Question: I was also in the CF10 beta program and I thought I saw a function described to get the device context of the client. I.e. such as the client's screen dimensions, flash availability, whatever. Do I miss someting there or is this the ClientInfo you mention? Or am I completely bogus?

    # Posted By Martin Baur | 5/24/12 1:22 PM
    Thanks for pointing out the forum entry, Chuck. I would respectfully ask that all with case issues with CF10 take their comments there. I am not seeing such an error (as Christopher first raised, of a CFM file. I had not tried a CSS file as you mention, Chuck.)

    So it seems that the issue is not as obvious as "CF10's internal web server is always case sensitive", if anyone might take that away from the discussion in comments above. Just trying to help folks be objective in what they're observing/reporting. Hope whatever the problem is for some is resolved.

    Again, I'd ask that we curtail further discussion of case issues (unless someone reports a solution or discovery of why it's an issue for some and not others.) If you want to add to the chorus of those with a problem, please do it in the forum that Chuck pointed to.

    @Martin, finally, thanks for the kind regards. As for the device details, it seems that was not implemented finally, from the early mentions during the prerelease tour events. (As for your own experience, remember that "The first rule about being on the beta is never talk about being on the beta. :-)

    But no, the clientinfo stuff is NOT related to that, but rather is purely database-related. More on it in the CF10 docs.
    Hi Charlie,

    First, _awesome_ work here!! :)

    Second, just a couple notes:

    1) I see the CF10 case-sensitivity issues (mentioned in the comments) are now scheduled to be fixed: #3199283 (marked Fixed/ToTest) & #3199281 (marked BugVerified/ToFix).

    2) Tho a hotfix did remove cfform's default action from pre-CF10 versions due to XSS risk, CF10 resolved the XSS risk and restored cfform's default action in the final release. CF10 seemingly runs encodeForHTMLAttribute() on the cgi.script_name portion and runs encodeForURL() on each name & value in the query string portion. Here is an example, to show why it was restored in CF10:

    - index.cfm: <cfwindow|layoutarea|etc source="page.cfm?name=value&.."..
    - page.cfm: <cfform><cfinput type="submit" name="submit" /></cfform>

    In this example, the parent page (index.cfm) passes URL params to the child page (page.cfm). The child page contains a self-posting form. When CF writes the default cfform action, it includes the query string. Thus, the action page (itself, since its self-posting) would then receive the URL params.

    Well, the hotfix's removal of the default form action caused these forms to no longer pass the URL params. This is b/c default browser behavior is to not pass the URL params when an action-less form is submitted. So, thanks to Shilpi, that bullet regarding cfform's action no longer pertains to CF10 final. w00t!

    Thanks for that, Aaron, both for the kind regards, and for the update on the coming changes.

    And as for that last point about the cfform action and url vars, this is one of those things were this entry being written based on the beta docs did come back to bite. I have made some changes to the entry since then, and I will strike out this bullet and refer readers to the comment here. Thanks for your added details.
    Hi Charlie, you are master in CF. i want to ask my one problem that i face Case Sensitive Problem so could you help me for this?
    Is the CRLF fix the reason why if you use this:

    <cfcontent type="application/xml; charset=utf-8">

    That it gets sent to the host as:


    The space after the semicolon is being removed...
    # Posted By Brad | 7/16/14 11:22 AM
    Ah, I found one more little hidden gem in CF10 that I'd not noticed when I posted this back in 2012: in the CF Admin, on the Settings page, there is a new "Maximum Output Buffer size" which defaults to 1024.

    I've confirmed that this was NOT in a CF9 CF Admin (specifically 9.0.2, which was the last version of CF9), so this is indeed a new setting in the Admin as of CF10. (Of course, it could be that there was such a buffer in 9 and earlier, affected only by an underlying XML or property file, which was only exposed in the Admin as of 10.)

    This could therefore influence various CFML processing based on page buffering. It's also mentioned as something to note in the CF10 and 11 lockdown guides.

    As for errors you may get, like this:

    "ColdFusion was unable to add the text you specified to the output stream. This is probably because you have already used a CFFLUSH tag in your template or buffered output is turned off."

    I'll just note that folks were getting that with CF9 (such as reported here, http://ethermuse.blo..., when someone moved to from CF7 to 9), and he found the problem was simply about unexpected CFFLUSH tags, and in his case NOT related to any output buffering setting, whatever the message may have been referring to.
    Copyright ©2024 Charlie Arehart
    Carehart Logo
    BlogCFC was created by Raymond Camden. This blog is running version 5.005.
    (Want to validate the html in this page?)

    Managed Hosting Services provided by
    Managed Dedicated Hosting