Peculiar error with ColdFusion on BlueDragon.NET

Question

We've got an odd issue occurring with ColdFusion on BlueDragon.NET. Asking here because of the broad experience of StackOverflow users.

Tags inside POSTed content to out BlueDragon.NET server gets removed, and we're not sure where in the stack it's getting removed. So for example if we post this data

[CORE]
Lesson_Status=Incomplete
Lesson_Location=comm_13_a02_bs_enus_t17s06v01
score=
time=00:00:56
[Core_Lesson]
<sd ac="" pc="7.0" at="1289834380459" ct="" ><t id="lo8" sc=";;" st="c" /></sd>
<sd ac='' pc='7.0' at='1289834380459' ct='' ><t id='lo8' sc=';;' st='c' /></sd>
<sd ac="" pc="7.0" at="1289834380459" ct="" ><t id="lo8" sc=";;" st="c" /></sd>
<sd ac="" pc="7.0" at="1289834380459" ct="" ><t id="lo8" sc=";;" st="c" /></sd>
<b>hello1</b>
<i>hello2</i>
<table border><td>hello3</td></table>
<sd>hello4</sd>
<sd ac="1">hello5</sd>
<t>hello6</t>
<t />
<t attr="hello8" />
<strong>hello10</strong>
<img>
><>

What we get back is this:

[CORE]
Lesson_Status=Incomplete
Lesson_Location=comm_13_a02_bs_enus_t17s06v01
score=
time=00:00:56
[Core_Lesson]



hello1
hello2
hello3
hello4
hello5
hello6


hello10

>

That is, anything that starts with < and ends with > is getting stripped or filtered and no longer appears in ColdFusion's FORM scope when it's posted.

Our server with BlueDragon JX does not suffer this problem.

If we bypass using the default FORM scope and use this code, the tag-like content appears:

<cfscript>
    // get the content string of the raw HTTP headers, will include all POST content as a long querystring
    RAWREQUEST = GetHttpRequestData();
    // split the string on "&" character, each variable should now be separate
    // note that at this point duplicate variables will get clobbered
    RAWFORMFIELDS = ListToArray(RAWREQUEST.content, "&");
    // We're creating a structure like "FORM", but better
    BetterFORM = StructNew();
    // Go over each of the raw form fields, take the key
    // and add it as a key, and decode the value into the value field
    // and trap the whole thing if for some reason garbage gets in there
    for(i=1;i LTE ArrayLen(RAWFORMFIELDS);i = i + 1) {
        temp = ListToArray(RAWFORMFIELDS[i], "=");
        try {
            tempkey = temp[1];
            tempval = URLDecode(temp[2]);                 
            StructInsert(BetterFORM, tempkey, tempval);
        } catch(Any e) {
            tempThisError = "Malformed Data: " & RAWFORMFIELDS[i];
            // Log the value of tempThisError here?         
            // WriteOutput(tempThisError);
        }
    }
</cfscript>
<cfdump var="#BetterFORM#">

If we do this, and use the created BetterFORM variable, it's there, so it does not seem to be a problem with the requests being filtered at some other point in the stack. I was thinking maybe it was URLScan, but that appears not to be installed. Since BD.NET runs on .NET as the engine, perhaps there's some sanitization setting that is being used on all variables somehow?

Suggestions, ideas, etc are welcome on this issue.

Answer 1

It turned out to be very mundane.

We had a custom tag that did customized string replacements. On one server, it was modified to NOT replace all tags. On this server, we were using an older version that did. So the fault was not a difference between BlueDragon JX and BlueDragon.NET -- it was developer team error.

Answer 2

I don't have a BD.NET instance handy to check, but Adobe ColdFusion has a setting in the cf administrator to strip "invalid tags". That's my best guess. Adobe CF replaces them with "invalidTag", my guess is that BD.Net just strips it silently.