Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

cfml compat - cfinclude with non cfml files

Description

In ACF you can do this:

<cfinclude template="/mymapping/thing.js">

In BoxLang this causes.

The template path [/mymapping/thing.js] has an invalid extension to be executed [js].

Not that ACF does not compile the js file so you can’t stick CFML code in there and change the extension to js so you can’t attempt to inject CFML code into a application by pretending it’s ‘static’ JS.

cfdocs says:

CF11: Changed behavior such that only files with the extension cfm or cfml are compiled and executed by cfinclude (configurable in Application.cfc via this.compileextforinclude), all other files will be statically included.

Adobe docs say:

By default only files with the cfm and cfml extensions get compiled when included using the <cfinclude> tag. All other files when included using the cfinclude tag will not get compiled but their content will be statically included. No error will be thrown.

Activity

Show:

Brad Wood last week

I have made the following extensions “core” in regards to compile-able templates and they cannot be removed.

"bxs", "bxm", "bxml", "cfm", "cfml", "cfs"

The validTemplateExtensions setting in boxlang.json is now empty by default and will always be used IN ADDITION TO the core extensions.

Furthermore, the include functionality will write the contents of the file ot the page buffer for any non-compilable template, just like CF does. It will NOT parse or compile it.

Luis Majano April 9, 2025 at 8:31 AM

can u expand

Brad Wood last week

yeah, the issue here isn’t what files are blocked or allowed by default. The issue here is what ACTION is taken when a file is blocked.

  • BoxLang thrown an exception and blows up the page

  • Adobe CF simple reads the file contents and includes them but DOESN’T compile it as source code

That’s the difference. cfinclude on CF can still be used as a generic include on any file extension, even if that file won’t be compiled.

Luis Majano April 8, 2025 at 10:43 AM

By default it’s not enabled due to security risks. You can enable it yourself:

https://boxlang.ortusbooks.com/getting-started/configuration/directives#valid-template-extensions

John Whish April 8, 2025 at 11:04 AM
Edited

I thought that setting was what is considered a CFML file so is run as a CFML file, everything else is just included as is.

As per cfdocs:

CF11: Changed behavior such that only files with the extension cfm or cfml are compiled and executed by cfinclude (configurable in Application.cfc via this.compileextforinclude), all other files will be statically included.

ACF docs:

By default only files with the cfm and cfml extensions get compiled when included using the <cfinclude> tag. All other files when included using the cfinclude tag will not get compiled but their content will be statically included. No error will be thrown.

This file in our app is just Javascript so I do not want it run is as a CFML (or BoxLang) template, I just want to read and output the contents as is.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Fix versions

Priority

Sentry

Created April 8, 2025 at 10:24 AM
Updated last week
Resolved last week

Flag notifications