CFLOCATION behavior change in CFMX7
Right after I upgraded to CFMX7 a while back, I started getting the following error on some of my pages:
ColdFusion was unable to perform the CFLOCATION operation. Location URL cannot contain (carriage return) CR or (line feed) LF characters
I noticed that all of the pages that were generating this error had the function encrypt within the cflocation tag. After a little bit of digging, I found out that the encrypt function may generate an encrypted string that will contain carriage return (CR) and line feed (LF) characters, which is considered a security hole. For this reason, beginning with ColdFusion MX 7, cflocation will no longer allow URL’s to contain CR and/or LF characters.
The solution proposed by Macromedia in one of their technotes was that instead of passing encrypted data from one ColdFusion template to another using URL variables appended to the URL specified in the cflocation tag, save the data to an Application, Client or Session variable (whichever makes sense for the data at hand) on the originating template and then read it out on the target template. This solution worked well for me.
