Glossary

What Is CFOUTPUT in ColdFusion?

by Aaron Longnion
5 min read
Contents show

Definition

cfoutput is a ColdFusion (CFML) tag that tells the server to render and send Dynamic content to the browser. Put simply, it’s the tag you use to output variables, expressions, and query results to the page. Anything inside can include evaluated expressions like #variables#, function results, and database fields.

How cfoutput Works

Basic Syntax and Variable Interpolation

  • Wrap output content in and use number signs to evaluate expressions.
  • ColdFusion replaces expressions wrapped in # # with their values.

Example:


Hello, #name#!

  • You can output expressions, not just variables:



#ucase(firstName & ” ” & lastName)#

Expression Evaluation and Functions

  • Any valid CFML expression between # # will be evaluated:
    • Math: #price * qty#
    • String ops: #trim(firstName)#
    • Date/number formatting: #dateFormat(now(), “yyyy-mm-dd”)#

Tip: Precompute expensive expressions with and then output the result to improve Performance and readability.

See also  What Is ColdFusion Admin API?

Query-Driven Output (query attribute)

can iterate through a query result set with the query attribute:

SELECT id, firstName, lastName
FROM Users
ORDER BY lastName


#id#: #lastName#, #firstName#

  • Inside this block, column names act like variables and are available directly.
  • Use startRow and maxRows to paginate:


#lastName#, #firstName#

Grouping Rows (group and groupCaseSensitive)

Group output by a column to print “header + details” sections:


SELECT department, firstName, lastName
FROM Users
ORDER BY department, lastName

#department#

  • #lastName#, #firstName#

    •

  • The outer runs once per unique group value.
  • The inner (no query attribute) iterates rows in the current group.
  • Optional: groupCaseSensitive=”true|false” to control grouping case sensitivity.

Output Buffering and Whitespace

  • CFML can output whitespace that may bloat HTML. Combine CFOUTPUT with:
    • to reduce whitespace.
    • Strategically placed blocks to minimize unnecessary output.
  • Advanced: ensures nothing is output unless wrapped by CFOUTPUT or writeOutput(), giving you tight control of rendering.

Syntax and Attributes

Common attributes you’ll use:

  • query: The query name to iterate over.
  • group: Column name to group on.
  • groupCaseSensitive: Treat group values as case-sensitive.
  • startRow, maxRows: Control paging of query output.
  • preserveSingleQuotes: Keep single quotes as-is in the evaluated output (use sparingly).

Note: CFML is case-insensitive for attribute names. Attributes like encodeFor are usually handled with functions (e.g., encodeForHTML()) rather than tag attributes.

Use Cases and Practical Examples

Printing Single Variables and Expressions


Total: #NumberFormat(total, “9,999.99”)#

Building an HTML Table from a Query (with grouping and a total)

Real-world scenario: Output a department roster with totals per department.


SELECT department, lastName, firstName, salary
FROM Staff
ORDER BY department, lastName

#department#



Name Salary
#encodeForHTML(lastName & “, ” & firstName)# #LSCurrencyFormat(salary, “USD”)#
Department Total #LSCurrencyFormat(deptTotal, “USD”)#

  • Uses grouping for department headers.
  • Sums salaries per group safely in the loop.
  • Applies output encoding for names to prevent XSS (best practice).
See also  What Is ColdFusion PDF Generation Feature?

Email and Document Templates

CFOUTPUT is often embedded in tags like , , or :



Hello #encodeForHTML(customerName)#,
Your order ## #orderID# totals #LSCurrencyFormat(orderTotal, “USD”)#.

Best practices

Security (Output Encoding)

  • Always encode untrusted data:
    • HTML: encodeForHTML()
    • HTML attributes: encodeForHTMLAttribute()
    • URLs: encodeForURL()
    • JavaScript context: encodeForJavaScript()
  • Never trust user input; encode on output even if you validated earlier.
  • Prefer cfqueryparam for SQL safety; don’t rely on preserveSingleQuotes to “fix” SQL.

Performance

  • Keep blocks tight; avoid heavy logic within them.
  • Precompute values with and output simple variables.
  • For large datasets, compare readability and performance between:
    • and

    • Both are efficient; pick the one that fits your pattern and measure in your environment.
  • Avoid nesting two tags that both have a query attribute (see Pitfalls).

Maintainability

  • Use explicit scopes when referencing variables: variables.name, session.user, application.title.
  • Escape literal # signs with ## when you want to show a hash symbol, not evaluate an expression.
  • Consider for complex templates to control accidental output.

Common pitfalls and Troubleshooting

Variables Don’t Render

  • Missing ? Without it (and without writeOutput()), expressions may not render, especially if enablecfoutputonly is on.
  • Forgot the # # around a variable? #userName# is required to evaluate it in tags.

Literal Hash Signs

  • Use double hashes to print a literal #:

Price is ## #NumberFormat(price, “9,999.99”)#

Nested Query CFOUTPUT Error

  • Error: “You have attempted to nest CFOUTPUT tags that specify a query.”
  • Fix: Don’t nest two blocks.
    • Option A: Use grouping for master-detail within a single query.
    • Option B: Use for the inner Iteration.
    • Option C: Remove the query attribute from the inner CFOUTPUT when grouping (as shown earlier).

preserveSingleQuotes Confusion

  • preserveSingleQuotes=”true” tells ColdFusion to leave single quotes untouched in evaluated output.
  • It is rarely needed; prefer context-appropriate encoding and cfqueryparam for database operations.
See also  What Is a ColdFusion Datasource?

Key Points

  • CFOUTPUT renders evaluated CFML expressions and query data to the response.
  • Use # # to interpolate variables and expressions.
  • Leverage query, group, startRow, and maxRows to control dataset output.
  • Prevent XSS by encoding output with encodeFor* functions.
  • Avoid nested CFOUTPUT tags that both specify query attributes.
  • Keep CFOUTPUT blocks focused and measure performance for large loops.

Related Tags and Alternatives

  • : Alternative to for iterating query rows.
  • writeOutput() in CFScript: Script-based equivalent to output content.
  • : Trim whitespace in templates.
  • : Require explicit output blocks or writeOutput.
  • savecontent: Capture output into a variable for later use.

FAQ

Does CFOUTPUT work inside CFScript?

Yes. In CFScript you normally use writeOutput() or string interpolation within functions like writeDump/writeOutput. You can also mix script and tags, but staying consistent (all-script or all-tags) improves readability.

Should I use or ?

Both are efficient. Choose based on readability and Features you need (e.g., grouping is built into CFOUTPUT). Benchmark if performance is critical in your environment.

How do I prevent cross-site scripting (XSS) when using CFOUTPUT?

Always encode output according to its context using the OWASP ESAPI-inspired functions: encodeForHTML(), encodeForHTMLAttribute(), encodeForURL(), encodeForJavaScript(). Do this at the time of output.

Why do I get an error when nesting CFOUTPUT tags?

You cannot nest two CFOUTPUT tags that both specify a query attribute. Use grouping, switch the inner loop to , or remove the inner query attribute when appropriate.

How do I print a literal # symbol?

Escape it by doubling the hash inside CFOUTPUT: ##. For example: Value is ## #value#.

About the author

Aaron Longnion

Aaron Longnion

Hey there! I'm Aaron Longnion — an Internet technologist, web software engineer, and ColdFusion expert with more than 24 years of experience. Over the years, I've had the privilege of working with some of the most exciting and fast-growing companies out there, including lynda.com, HomeAway, landsofamerica.com (CoStar Group), and Adobe.com.

I'm a full-stack developer at heart, but what really drives me is designing and building internet architectures that are highly scalable, cost-effective, and fault-tolerant — solutions built to handle rapid growth and stay ahead of the curve.

View all posts

You may also like