fix: encode after truncating to avoid splitting HTML entities (wh-etb.2)

bpamiri · bpamiri · commit daa6a0298144 · 2026-03-23T23:03:36.000-07:00
left(encodeForHTML(x), 100) could split an HTML entity like &amp;amp; into
&amp;am, producing malformed output. Reversed to encodeForHTML(left(x, 100))
so truncation happens on raw text before encoding.
diff --git a/cli/src/models/AdminViewService.cfc b/cli/src/models/AdminViewService.cfc
@@ -205,9 +205,9 @@ component {
 			return h & 'timeFormat(' & qv & ', "HH:nn:ss")' & h;
 		}
 
-		// Text / textarea — truncate in list view
+		// Text / textarea — truncate in list view (encode after truncating to avoid splitting HTML entities)
 		if (field.inputType == "textarea" || field.dataType == "text") {
-			return h & "left(encodeForHTML(" & qv & "), 100)" & h;
+			return h & "encodeForHTML(left(" & qv & ", 100))" & h;
 		}
 
 		// Default — encode for safety

Original file line number	Diff line number	Diff line change
`@@ -205,9 +205,9 @@ component {`
`205`	`205`	`return h & 'timeFormat(' & qv & ', "HH:nn:ss")' & h;`
`206`	`206`	`}`
`207`	`207`
`208`		`- // Text / textarea — truncate in list view`
	`208`	`+ // Text / textarea — truncate in list view (encode after truncating to avoid splitting HTML entities)`
`209`	`209`	`if (field.inputType == "textarea" \|\| field.dataType == "text") {`
`210`		`- return h & "left(encodeForHTML(" & qv & "), 100)" & h;`
	`210`	`+ return h & "encodeForHTML(left(" & qv & ", 100))" & h;`
`211`	`211`	`}`
`212`	`212`
`213`	`213`	`// Default — encode for safety`