Canonicalize Method in ColdFusion 8 and ColdFusion 9

Earlier this morning, Mingo Hagen asked a question on Twitter about using the canonicalize function available natively in ColdFusion 10 on a ColdFusion 9 server.

ColdFusion 10 contains a few new security methods (encodeForHTML, encodeForURL etc) as well as the canonicalize method, which are drawn from the ESAPI (Enterprise Security API) .jar file included in the installation. Whilst CF8 and cF9 do not have these methods exposed as native functions, they DO contain the ESAPI.jar file. ESAPI was included in ColdFusion as a hotfix for 8 and 8.0.1 (ESAPI 1.4), and ColdFusion 9 and 9.0.1 (ESAPI 2 RC). This means we can instantiate the java library and still use these security features:

The ESAPI components and libraries are incredibly detailed and feature-rich and much more can be achieved with them, but the above code will help you instantiate the objects and use the encoding methods in earlier versions of ColdFusion (8 and 9).

I have also added the canonicalize method to my forked repository of the CFML Security project created by Pete Freitag / Foundeo last week.

You can download the fork from

  • David Epler

    Will fail if run on ColdFusion 8 or 9 with default ESAPI library installed by ASPB11-04+.
    ESAPI r1630 added String canonicalize( String input, boolean restrictMultiple, boolean restrictMixed ) method signature which is ESAPI 2.0.0+.

    Also there is another project that has already implemented the various Encode and Decode functions (including Canonicalize) that were added to CF 10 (along with some other functions).