Renderer methods assume the module exists


I have been getting some errors from spiders that are trying to try different URLs to find a weakness.

The URL is this: /AdminUsers/javascript:void(0);

I think this would just take some sort of change in the Renderer.cfc in the functions locateModuleLayout and locateModuleView.
Something like:
if ( !structKeyExists(variables.modulesConfig,arguments.module) )
return 'whatever the invalidEventHandler event path is'


Matt Graff
July 21, 2020, 6:00 PM

I am yes. Normal 404s are handled. I think it is because it sees this as a module route. When the route is just “/AdminUsers/javascript” it works. When I add the “/AdminUsers/javascript:void(0);” it causes the error.

Element ADMINUSERS.JAVASCRIPT is undefined in a CFML structure referenced as part of an expression.

at cfRenderer2ecfc1070012657$funcLOCATEMODULELAYOUT.runFunction(C:\ColdFusion2018\cfusion\wwwroot\xxxxxx\frameworks\coldbox\system\web\Renderer.cfc:666


Is there is a workaround I am missing? Thanks.

Luis Majano
July 22, 2020, 2:57 PM

Ahh ok, that’s what I need to test. So the AdminUsers is a REAL module then.

Matt Graff
July 22, 2020, 7:24 PM


The correct URL is

If you type in it will give the proper 404 invalid event screen

if you type in the you will then get the error I posted above…

David Levin
January 7, 2021, 12:19 AM

This may also be related to the following issue:

I believe it has something to do with the colon in the URL path.

Matt Graff
January 7, 2021, 10:40 PM

Yes I would agree that it is the same issue. I think it is because it sees it as a module route and it does not trigger the same 404.


Luis Majano


Matt Graff




Affects versions