I have some ColdFusion applications that contain javascript console.log debugging. In many cases, I didn't want to remove the code as it is beneficial for internal developers, but it didn't make sense for it to be displaying messages for the general public. Instead of adding CFIF tags around every usage, I determined that it may be a good idea to use regex to sanitize it.
I initially tried removing the logging and/or replacing it with a comment, but this didn't seem to work correctly in every context. I decided to set it to a local dummy variable so this it wouldn't do any harm during post-processing. We use jsoup to manage the order of JS/CSS loading & add pre-configured CSP rules based on content. In addition, We may use IIS Webspeed (PageSpeed for IIS) to reduce whitespace optimize css/js/images. (PageSpeed automatically removes comments & reduces JS, so I'm hoping it will reduce multiple redundant variables to a single variable.)
Using the removeLogging() UDF, I can now determine how the web application is being accessed (developer vs non-developer) and remove the console debugging for non-developer visitors. This has been tested using CF2016.
Source Code
| <cfscript> | |
| /* 2/3/2020 removeLogging - removes console.log debugging from HTML fragment. (Tested w/ACF2016) | |
| Safely replace debugging w/trivial variable assignment. (Removing or replacing with a commenting may not work in every context.) | |
| James Moberg - https://www.sunstarmedia.com/ | |
| TryCF: https://trycf.com/gist/fee255d6cbdf444e04dfda6a944e56b1 | |
| Blog: https://dev.to/gamesover/sanitizing-console-log-from-html-using-coldfusion-regex-m3b | |
| */ | |
| string function removeLogging(required string inputString, string replacementText="ignored"){ | |
| if (len(trim(arguments.replacementText)) IS 0){ | |
| arguments.replacementText = "ignored"; | |
| } | |
| return javacast("string", arguments.inputString).replaceAll("(?m)console\.(assert|clear|count|debug|dir|dirxml|error|exception|group|groupCollapsed|groupEnd|info|log|markTimeline|profile|profileEnd|table|time|timeEnd|timeStamp|trace|warn)\(([\s\S.]*?)\);", "var #arguments.replacementText#;"); | |
| } | |
| </cfscript> | |
| <cfsavecontent variable="SampleHTML"> | |
| <script> | |
| var a = location; | |
| function foo(){return new Date}; | |
| function bar(){return location.href}; | |
| console.log('TEST2', new Date); | |
| console.log('hello: ' + foo(), bar()); | |
| console.log('TEST VARS', a, new Date); | |
| console.info("TEST INFO", "this is info"); | |
| console.warn("TEST WARN", "this is a warning"); | |
| console.error("TEST ERROR", "this is an error"); | |
| console.table("TEST TABLE", a); | |
| // console.clear(); | |
| /* console.log($('#zipSearch').select2('data'), new Date); */ | |
| console.log(Math.abs(-123), new Date); | |
| console.log( "spaces" ) ; | |
| console.log('clicked', b2, b2.is(':checked'), new Date); | |
| console.log( | |
| "Multi", | |
| "line" | |
| ); | |
| console.log('components.stringify()', JSON.stringify(a)); | |
| console.log("abc;123"); | |
| //console.log('hello', new Date); | |
| </script> | |
| </cfsavecontent> | |
| <cfoutput> | |
| <div style="display:table;"> | |
| <div style="display:table-cell;"> | |
| <h2>SampleHTML</h2> | |
| <xmp>#SampleHTML#</xmp> | |
| </div> | |
| <div style="display:table-cell;"> | |
| <h2>removeLogging(SampleHTML)</h2> | |
| <xmp>#removeLogging(SampleHTML)#</xmp> | |
| </div> | |
| </div> | |
| </cfoutput> |
Top comments (0)