Always Encode URL Parameters

Any time you use an expression or variable to build a URL parameter, use the URLEncodedFormat() function to ensure that that value is URL safe. You should do this even if you know the value is safe (for example, a simple number). The function will do no harm if the value does not need encoding (it’ll spit it out as is), and you’ll be protected if at some point the values change (they will). (Applies to: ColdFusion All)

Leave a Reply