I found an interesting discussion between the community and Adobe today regarding early cfscript functionality for tags. They use CFCs (query.cfc, ldap.cfc, http.cfc, etc.) located in the ColdFusion installation directory.

I found this interesting as I never put together that the early introduction of cfscript functionality using “cf…()” was a custom tag. See the screenshot below.

These do not correspond with “modern” cfscript such as “httpservice = new http();”. “cfhttp();” is a custom tag, however.

The discussion surrounded Adobe’s position/long-term plan for these CFC’s. If you look at ColdFusion Deprecated Features, these specific functions have been depreciated since the 2018 release. Not that they are NOT marked as “Deprecated and unsupported”. However, in the Adobe bug tracker, any related bug (and there’s a lot) has been marked as “Never fixing”. This realistically means “unsupported” and therefore, bugs, and potentially security risks, continue to be present even in 2023. Adobe has marked this for internal discussion on how to handle future releases.

It is my recommendation that if you use “cf…()” in your cfscripts while using ColdFusion 2018+, you cease using them in any new code, instead using “modern cfscript”. For existing code, getting those swapped typically looks like replacing the function as you touch it through the code lifecycle. However, some more sensitive organizations may wish to swap these out as a project and were unaware of this. To be clear, I am aware of no active security issues that would dictate immediate replacement.

It is good to take a quick peek at ColdFusion Deprecated Features to become familiar with depreciated functions and attributes so we do not continue to build technical debt for ourselves or our customers. A more popular example may be HTMLEditFormat.

#cfscript