Modernize or Die® - CFML News for January 11th, 2022 - Episode 130

Gavin Pickin and Eric Peterson host the first CFML News Podcast of the year. They talked about the upcoming Webinar from Ortus, and workshop from Adobe. They discuss more updates for Log4j and another security story, on the Elephant Beetle. They also say goodbye to AngularJS which was EOL'ed at the end of 2021. They discuss the latest CFCasts content including the Into the Box 2021 videos available for free, and some upcoming conferences. They spotlight a lot of great blog posts, tweets, videos and podcasts, too many to list, so listen to the show. They announce some jobs from They show off the ForgeBox module of the Week - JSON-Diff By Scott Steinbeck - An ColdFusion utility for checking if 2 JSON objects have differences This week's VS Code Tip of the week is Excel Viewer - If you’re working with data, there’s a high chance that you’ll also encounter an excel spreadsheet in some form. Excel Viewer makes it easy to deal with excel data in your VS Code editor They thanked all their Patreons - they talked a little information about perks for their Patreon supporters, and a new option, Annual Memberships with a discount. For the show notes - visit the website Music from this podcast used under Royalty Free license from SoundDotCom and BlueTreeAudio
2022-01-11 Weekly News - Episode 130

Watch the video version on YouTube at

Gavin Pickin - Senior Software Developer for Ortus Solutions
Eric Peterson  - Senior Software Developer for Ortus Solutions

Thanks to our Sponsor - Ortus Solutions

The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. 
A few ways  to say thanks back to Ortus Solutions:
  • Like and subscribe to our videos on YouTube. 
  • Subscribe to our Podcast on your Podcast Apps and leave us a review
  • Sign up for a free or paid account on CFCasts, which is releasing new content every week
  • Buy Ortus’s Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (

Patreon Support

We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site:

News and Events

Upcoming Ortus Webinar - cbwire + Alpine.js with Grant Copley

January 28, 2022 - 11:00 AM CT - Central Time (US and Canada)
In this webinar, Grant, lead developer for cbwire, will showcase how to build modern, reactive CFML apps easily using very little JavaScript.
Register today:

Log4j Updates

Log4j-2.17.1 patch released. CommandBox images updates with the latest log4j patched jars
Adobe updated have an updated technote:
Other libraries like Spreadsheet-CFML have updated as well.
Note: ​Log4j2 Support in lucee 5.3 is coming along for 5.3.9

‘Elephant Beetle’ Lurks for Months in Networks

The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.
This beetle adores Java. The group is “highly proficient” with Java-based attacks and often targets legacy Java apps running on Linux machines – primarily, the Java-based web servers WebSphere and WebLogic – as a means of initial entry to a target environment, the researchers explained. Beyond that, Elephant Beetle even deploys its own, complete Java web application to do the gang’s bidding on compromised machines that are, meanwhile, chugging along, running legitimate apps.

Adobe Workshops

More Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx
2 dates announced:
February 2, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST

March 09, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST

AngularJS EOL’ed 12/31/2021

As AngularJS is faced with an uncertain future, many teams are searching for answers to the current hot topic: if you are using AngularJS, do you continue to maintain your AngularJS applications or do you migrate your applications to another framework? This is not an easy (or cheap) question to answer.
In this article, we’ll go over some of the reasons why you should consider migrating your AngularJS applications, and some ideas on how to plan and budget for a successful migration.

CFCasts Content Updates 

Just Released

Coming soon
  • Into the Box LATAM

Send your suggestions at

Conferences and Training

VueJS Nation Conference

Online Live Event
January 26th & 27th 2022
Register for Free

More conferences
Need more conferences, this site has a huge list of conferences for almost any language/community.

Blogs, Tweets and Videos of the Week

Tweet - Adam Cameron - TIL something new about CFOUTPUT
I cannot go into details of why this is a good find, but I was unaware that one can pass an encoding algorithm name like `<cfoutput encodefor="html">` (and a bunch of others) which will automatically escape the values in `#expression#`. Didn't know that.

Tweet - James Moberg - Microsoft taking log4j stuff seriously.
While performing some #coldfusion unit testing to identify #log4j exploit attempts (that my WAF may miss), I had to obfuscate the test strings or @msftsecurity would instantly quarantine & report the script. It's good to see that Microsoft is taking this seriously. #cfml

Blog - James Moberg - Log4j Exploit Pattern Detection Using ColdFusion/CFML
Here are my initial attempts at trying to detect Log4j exploit attempts that may make it past our WAF/service provider protections. While our WAF stopped requests from Trend Micro's Log4j Tester, obfuscated requests made it through. At time of testing, Azure wasn't blocking requests. I had to be a little careful with the script as Windows kept instantly quarantining the CFM files and prevented ColdFusion from executing the template.
2021-12-29: Updated rules based on Google Cloud article to additionally block rmi, ldaps & dns (in addition to stripping whitespace.)

Tweet - Zac Spitzer - Show some love for the VS Code CFML Extension
Awesome to see some activity on the vscode-cfml extension, a new minor release coming soon.
If you use it, please show some love and star the repo
#lucee #coldfusion #cfml

Blog - Ben Nadel - Building An API Client With The fetch() API In JavaScript
In my continued effort to modernize this blog, I'm thinking about trying to replace the jQuery library with more modern techniques. I don't personally have anything against jQuery; but, by replacing it, I'll have an opportunity to learn newer - and hawter - JavaScript APIs (at the expense of robust browser support). Case in point, I want to replace the jQuery.ajax() method with a fetch()-based API client. I've never used the fetch() method before; so, this will be an exciting exploration!
When consuming an API, you should always create an API client…

Blog - Ben Nadel - Showing A Comment Preview As You Type On This Blog
Since comments, on this blog, are authored using Markdown (and ColdFusion), there is a delta between what you write in the intake form and what is eventually rendered in the HTML. Much of the time, this delta is expected; however, if you have small errors in your markdown syntax, you can end up with HTML that does not reflect what you had intended to publish. To help narrow the gap between input and output, I've added a comment preview functionality to this blog.

Blog - Ben Nadel - Mitigating Cross-Site Scripting (XSS) Attacks With A Strict Content Security Policy (CSP) In ColdFusion 2021
As I continue to evolve my blogging platform, bringing it into the modern ColdFusion era, I'm trying to catch up on best practices. Of course, I've always used SQL query parameterization to block SQL injection attacks. And, I use encodeForHtml() and encodeForHtmlAttribute() in as many places as is feasible. And when converting user-provided markdown into HTML, I use the OWASP Anti-Samy project to sanitize the HTML output. But, one thing I've never had is a Content Security Policy (CSP). A CSP is yet another line-of-defense in the war against Cross-Site Scripting (XSS) attacks.
CAUTION: I Am Not A Security Expert

Blog - Ben Nadel - preserveCaseForStructKey Doesn't Work Inside Application.cfc In Adobe ColdFusion 2021
Over the New Year's holiday, I ran into a rather peculiar behavior regarding the preservation of key-casing and the serializeJson() function in Adobe ColdFusion 2021. It appears that the serialization setting for preserveCaseForStructKey doesn't apply to code that resized physically within the Application.cfc life-cycle event handlers. To demonstrate this, we can setup a simple demo in which we serialize data across the event handlers and then dump-out the response:

Blog - Ben Nadel - Posting Comments Using Reply Emails And Postmark's Inbound Streams In ColdFusion 2021
I've been a very happy Postmark customer for the last decade. Their SMTP and API services make sending and receiving emails absurdly simple. And, their Inbound webhooks allow you to treat Postmark as a reverse proxy that transforms inbound email delivery into API calls (webhooks) against your own servers. I've been wanting to use this feature on my blog forever; however, I was always afraid that it would lead to massive abuse. That said, in response to a recent spam attack, I was forced to add comment moderation. Which means, I can safely start playing with reply-based comment posting using Postmark's Inbound stream!

Blog - Ben Nadel - Centralizing The Error Response Handling For My ColdFusion Blog
If you've noticed that my blog has been quite quiet over the last few weeks, it's because I've dedicated December to modernizing and upgrading my blogging infrastructure. The refactoring has been extensive, to say the least; and, on the list of things that I've wanted to for a long time is centralizing my error response handling in my ColdFusion code. It took me several days to find, factor-out, and normalize my errors; but, I think I have it at a point that I can easily refine and evolve going forward.


Several positions available on
Listing over 256 ColdFusion positions from 111 companies across 131 locations in 5 Countries.

7 new jobs listed

Contract - CFML Developer at Remote - United States
Jan 11

Full-Time - Software Developer - ColdFusion at Overland Park, KS - United States
Jan 11

Full-Time - IT Engineer Applications (Coldfusion developer/admin) : 19-0.. - United States
Jan 11

Full-Time - Senior Coldfusion Developer |LATAM| at Colon, PA - United States
Jan 11

Full-Time - ColdFusion Developer at Virtual, US - United States
Jan 10

Full-Time - Remote Software Developer (Cold Fusion) at Mississauga, ON - Canada
Dec 31

Full-Time - Fresh Software Engineer ( For ColdFusion Only) at Ahmedabad,.. - India
Dec 30

ForgeBox Module of the Week


By Scott Steinbeck
An ColdFusion utility for checking if 2 JSON objects have differences

Call JSONDiff.diff to get a detailed list of changes made between the JSON objects.
Call JSONDiff.isSame to get a simple boolean true or false.

VS Code Hint Tips and Tricks of the Week

Excel Viewer

If you’re working with data, there’s a high chance that you’ll also encounter an excel spreadsheet in some form. Excel Viewer makes it easy to deal with excel data in your VS Code editor by formatting long and comma-separated strings into a tabled format. This can work wonders for your .csv, .tsv, and .tab extensions.

Funny link:

Thank you to all of our Patreon Supporters

These individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox,  ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox.

You can support us on Patreon here

Now offering Annual Memberships, pay for the year and save 10% - great for businesses.

  • Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription.
  • All Patreon supporters have a Profile badge on the Community Website
  • All Patreon supporters have their own Private Forum access on the Community Website
  • John Wilson - Synaptrix 
  • Eric Hoffman
  • Gary Knight
  • Mario Rodrigues
  • Giancarlo Gomez
  • David Belanger
  • Jonathan Perret
  • Jeffry McGee - Sunstar Media6
  • Dean Maunder
  • Joseph Lamoree
  • Don Bellamy
  • Jan Jannek
  • Laksma Tirtohadi
  • Carl Von Stetten
  • Dan Card
  • Jeremy Adams
  • Jordan Clark
  • Matthew Clemente
  • Daniel Garcia
  • Scott Steinbeck - Agri Tracking Systems
  • Ben Nadel
  • Mingo Hagen
  • Brett DeLine
  • Kai Koenig
  • Charlie Arehart
  • Jonas Eriksson
  • Jason Daiger
  • Jeff McClain
  • Shawn Oden
  • Matthew Darby
  • Ross Phillips
  • Edgardo Cabezas
  • Patrick Flynn
  • Stephany Monge
  • Kevin Wright
  • Steven Klotz

You can see an up to date list of all sponsors on Ortus Solutions' Website

★ Support this podcast on Patreon ★

Switch to Modernize or Die ® Podcast - SoapBox Edition - Switch to Modernize or Die ® Podcast - Conference Edition

Powered by

Music from this podcast used under Royalty Free license from SoundDotCom and BlueTreeAudio

© 2019 Ortus Solutions