Just a quick post to announce that I'll be speaking about "Debugging ColdFusion Web Applications using Firebug and ColdFire" at the ColdFusion Unconference. If you're going to MAX this year and want to find out more about what Firebug and ColdFire can do for you, come check out my session.
I just posted ColdFire 188.8.131.52 to RIAForge which fixes a couple of recently discovered bugs. For details check out the ColdFire site.
I've been using Ben Nadel's POIUtilty for a while now. I really like the custom tag library he has built for building Excel spreadsheets, particularly the way he has abstracted the POI cell formatting options out to CSS. Last week however, I ran into a strange issue while running the latest release on CFMX 7. Cell styles were not being properly applied and it seemed to be related to the CSS style caching functionality. What was even more strange was that the code ran fine on CF 8. Below are samples of the correctly styled spreadsheet genrated by CF 8 and the incorrectly formatted spreadsheet generated by CF 7.
Here is an Application.cfc which implements HTTP Basic Authentication:
Over the weekend I put CF Debug Copy for IE up on RIAForge. I hadn't posted this to RIAForge before because I had plans to investigate building the windows installer using WiX so that I could post the source along with the final .msi. Since it has been well over a year and I haven't got around to this I figured I might as well post the installer I built using Visual Studio.
I've run into a couple of ColdFusion quirks over the past few days that I thought I'd share. (I should note that these were observed on Adobe CF 8.)
SerializeJSON and Boolean Strings
If you try to serialize the strings "Yes","No","True" or "False" using SerializeJSON, ColdFusion will convert these strings to boolean values. (i.e. "Yes" becomes true, "False" becomes false). This is because ColdFusion is weakly typed and uses some pretty liberal implicit conversion rules when it comes to boolean evaluation. I see this as an issue for the purposes of searializing and deserializing JSON for two reasons. First, there is the potential to lose data. If you serialize the string "Yes" and then deserialize the JSON that ColdFusion generates you are left with true, which is obviously a totally different value than what you started with. Second, it is not really consistent behavior because SerialzeJSON does not convert 1 or 0 (also ColdFusion booleans) to the boolean values true and false. I think the better approach here would be to serialize all strings as strings and only serialize "real" boolean values as booleans.
The other inconsistency I ran into was with IsXML. If you pass something other than a string to IsXML the function throws an error. This is different than the documented behavior which states:
True, if the function parameter is a string that contains well-formed XML text; False, otherwise.
This is also different than the other CFML decision functions which simply return false if passed a function parameter they can't handle. (See IsXmlAttribute for example.)
I think the IsXML issue could definitely be consider a bug, and while the SerializeJSON issue is a little fuzzy, I've gone ahead and reported both as bugs.
Last week I attended a web application security workshop presented by the SANS Institute. While a majority of the content was a review for me, I did learn about one type of attack I was not familiar with, the Cross Site Request Forgery (CSRF) attack. This type of attack, also known as session riding, has been around for awhile and is really pretty simple.