Modernize or Die® - CFML News Podcast for May 28th, 2024 - Episode 216

2024-05-28 Weekly News — Episode 216

Watch the video version on YouTube at

  • Eric Peterson - Senior Developer at Ortus Solutions
  • Daniel Garcia - Senior Developer at Ortus Solutions

Thanks to our Sponsor - Ortus Solutions

The makers of ColdBox, CommandBox, ForgeBox, TestBox and all your favorite box-es out there. 
A few ways to say thanks back to Ortus Solutions:

Patreon Support (Magnificent)
We have 50 patreons:

News and Announcements

BoxLang — Dynamic : Modular : Productive

New Releases and Updates

Galaxie Blog 3.57

ITB Releases

ITB Highlights

Keynote Day 1

  • BoxLang released!
    • Modern Dynamic Language
    • Java Interop
    • Pure Functions + Immutable Classes
    • Multi-Runtime Architecture
    • Multi-Parsers : BoxLang + CFML + ???
    • Event-Driven Language
    • Enterprise Caching Engine & Aggregator
    • Scheduling & Task Framework
    • Tested & Documented
    • Tooling
      • BoxLang IDE (VS Code Extension)
      • CLI
      • Debugger
    • Modules
      • Web Applications - HTTP Request/Response Data
      • Tasks and Queues -  Watchers, Event Handling, Async
      • Lambda and CLI -  fast start and blazing speeds!
      • iOS/Android - Low resource footprint, event handling
      • Web Assembly - Transpilation and Sandboxing
      • Has installers
      • AWS Lambda Runtime
    • Professional Open Source
    • Visionary Licenses

Keynote Day 2

  • ColdBox 8.x Beta in 2024, release in 2025
  • New cbDebugger (thanks Scott Steinbeck)
  • ContentBox 7 Beta in 2024, release in 2025
    • CommandBox
    • CommandBox Pro
    • Multisite Support (don’t need pro for this actually)
    • Windows Installer
    • Updated Docker Images
    • New Iron Bank images
  • cbWire v4 launched
  • Modules
    • QB Updates
    • Quick Updates
    • Hyper Updates
    • cbq Updates
    • Vite plugin
    • Megaphone
    • cbSecurity Passkeys



  • Runs on AWS Lambda
cbWire v4
  • wire:navigate
  • Lazy Loading
  • Teleport
  • Execute JavaScript from templates
  • Streaming responses
  • Smaller and faster!
cbSecurity Passkeys
  • Add Passkey support to your site that uses cbSecurity
  • Easy to get started with and configurable to your needs
cbq v3
  • More stable, fewer bugs, and better docs

Webinars, Meetups and Workshops

Into the Box 2024, Day 1 & 2 Keynotes
Into the Box 2024 Keynote Day 1:
Into the Box 2024 Keynote Day 2:

CFCasts Content Updates

Recent Releases
  • ITB 2024 videos coming soon for all attendees
Conferences and Training

CFCamp 2024

CF Summit West in Las Vegas

At Resorts World - New venue!!!
Sep 30 - Oct 1st for the Conference
Oct 2nd for the Certification

$99 for the Session Pass right now.
Coupon code might be in your email if you are a previous attendee for even better pricing
$199 for the Professional Pass - include Certification Training on the 2nd of Oct.

Call for Speakers is Open!!!


Resorts World
3000 S Las Vegas Blvd,
Las Vegas, NV, United States, Nevada

Looking for accommodations?

We've secured exclusive, low room rates of $105 + taxes/day especially for our attendees! Easy and hassle-free booking is just a click away.

Secure your spot now to make the most of your trip with comfortable and affordable accommodations

Ortus - Workshop - TBA

ITB 2025
  • Location: Washington, DC
  • Dates: April 30, 2025 - May 2, 2025 - Washington, DC
  • 50% off blind tickets

More conferences

Need more conferences, this site has a huge list of conferences for almost any language/community.

Blogs, Posts, and Videos of the Week

5/1/24 - Blog - Robert Zendher - KISDigital - Tidying up HTML with jSoup: Part Deux
The output of commandbox-ssg has always been something that makes my OCD tingle. When build generates a site, templates are rendered in steps: first the view gets rendered, the next step is to render the page layout around the view, and finally the layout is applied. Due to how things are processed the indentation is "chunky" and the rendering process will also generate blank when processing the CFML templates.

The output is not bad, it just is not great. The Solution: jSoup

5/3/24 - Blog - Robert Zendher - KISDigital - The Law of Unintended Consequences
I was feeling pretty good about myself when I managed to post-process commandbox-ssg HTML output using jSoup. The downside, as I learned after the fact, non-HTML files were still getting the same treatment. By default jSoup uses an HTML parser and will wrap the output in html and body tags if they do not exist in the input html. Needless to say, that does not bode well when your sitemap.xml or an RSS feed is wrapped in HTML tags.

5/8/24 - Blog - Harsh Jaiswal & Rahul Maini - Hacking Apple - SQL Injection to Remote Code Execution
In our last blog post, we delved into the inner workings of Lucee and took a look at the source code of Masa/Mura CMS, and the vastness of the potential attack surface struck us. It became evident that investing time in understanding the code could pay off. After dedicating a week to our exploration, we stumbled upon several entry points for exploitation, including a critical SQL injection flaw that we were able to exploit within Apple's Book Travel portal.

In this blog post, we aim to share our insights and experiences, detailing how we identified the vulnerability sink, linked it back to its source, and leveraged the SQL injection to achieve Remote Code Execution (RCE).

5/6/24 - Blog - Ben Nadel - Where Does Serialization / Deserialization Belong In A Database Access Workflow?
A ColdFusion web application is composed of a series of nested abstractions. Each abstraction layer hides some level of private detail and exposes data for public consumption. For most of the work that I do, the exposed data is one dimensional. But, on occasion, I need to store complex object structures. As a simple example, I might have a MySQL table with a JSON column. Which means that each record that I read from said database table contains both normal data and serialized data. Which begs the question: where in the data access workflow should the embedded serialized data (JSON) be deserialized?

5/12/24 - Blog - Ben Nadel - Experimenting With SQLite JDBC Connections In Lucee CFML
Although SQLite has been around for almost 25-years, it seems to be having a moment. In the past year or two, I've heard many people discuss the power of embedding SQLite databases within an application. I've never looked at SQLite before; and, I don't think it necessarily makes sense in the context of a ColdFusion web application; but, as a fun exploration, I wanted to see if I could get ColdFusion to connect to a SQLite database.

5/13/24 - Blog - Ben Nadel - Creating On-The-Fly Datasource Connections In Lucee CFML
In yesterday's post on connecting to SQLite databases using JDBC in Lucee CFML, I was creating and consuming a new, user-specific datasource on every page request. In order to do this, I made use of a technique that I only just learned about from the CommandBox Book written by Ortus Solutions. Apparently, in Lucee CFML, you can provide the CFQuery datasource attribute as a struct instead of a string.

5/14/24 - Blog - Ben Nadel - Creating In-Memory SQLite Databases Using JDBC In Lucee CFML
In my first look at connecting to SQLite databases using JDBC in Lucee CFML, I was creating physical database files and synchronizing them between my Docker container and my host machine. But, in an experimentation context, there may not be any need to persist the database state across container restarts. In such a context, I could have used SQLite's in-memory database mode to explore the SQLite space without having to worry about persisting data to disk.

5/18/24 - Blog - Ben Nadel - Experimenting With Low-Level SQLite Access In Lucee CFML
In my first look at accessing SQLite databases in ColdFusion, I was using a Lucee CFML specific feature that allows for creating on-the-fly datasources in the CFQuery tag. As a follow-up experiment, I wanted to see if I could use lower-level Java methods—in the java.sql package—in order to access SQLite without having to rely on Lucee-only features.

5/17/2024 - Blog - Robert Zendher - KISDigital - Setting up your first BoxLang Server

It is easy to get started working with BoxLang, but I thought I would put together a quick post on how to get started with a development server. The first step is to setup your webroot.


Several positions available on

Listing over 126 ColdFusion positions from 79 companies across 53 locations in 5 Countries.

3 new jobs listed in the last few weeks

Full-Time — AWS and ColdFusion Full Stack Developer
New York, NY, United States
Posted May 01

Full-Time — Cold Fusion Developer I
Posted May 09

Full-Time — Senior Web Developer ColdFusion
Regal Medical Group
Northridge, CA, United States
Posted May 17

Other Job Links
There is a jobs channel in the CFML slack team, and in the Box team slack now too

ForgeBox Module of the Week


Start a BoxLang server using CommandBox 6!

box install commandbox-boxlang
box server start cfengine=boxlang javaVersion=openjdk_21

VS Code Hint, Tip, and Trick of the Week


An extension for the development of BoxLang.

At a glance

  • Built-in BoxLang runtime for easy development
  • Tooling
    • Debugger
    • Web server that can be launched within VSCode
    • Execute .bxs files
    • Execute .bx files that have a main method
  • Language support
    • Syntax highlighting
    • Language server integration (alpha)
  • Support of existing CFML functionality

Thank you to all of our Patreon Supporters

These individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox, ContentBox, TestBox and all the other boxes keep getting the continuous development they need, 

Their Contributions fund the cloud infrastructure at our community relies on like 
  • ForgeBox for our 
  • Package Management with CommandBox. 

You can support us on Patreon here

Don’t forget, we have Annual Memberships, pay for the year and save 10% - great for businesses everyone.

  • Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription.
  • All Patreon supporters have a Profile badge on the Community Website
  • All Patreon supporters have their own Private Forum access on the Community Website
  • All Patreon supporters have their own Private Channel access BoxTeam Slack

Top Patreons (magnificent)
  • John Wilson - Synaptrix
  • Tomorrows Guides
  • Jordan Clark
  • Gary Knight
  • Giancarlo Gomez 
  • David Belanger  
  • Dan Card
  • James Moberg & Jeffry McGee - Sunstar Media 
  • Dean Maunder
  • Kevin Wright
  • Doug Cain 
  • Nolan Erck 
  • Abdul Raheen

And many more Patreons - up to 50 now!!!!!+

You can see an up to date list of all sponsors on Ortus Solutions' Website

Thanks everyone!!!

★ Support this podcast on Patreon ★

Switch to Modernize or Die ® Podcast - SoapBox Edition - Switch to Modernize or Die ® Podcast - Conference Edition

Powered by

Music from this podcast used under Royalty Free license from SoundDotCom and BlueTreeAudio

© 2019 Ortus Solutions