Re: Best practices for xss security in CMS? - Related Question
On Wed, Mar 5, 2014 at 11:16 AM, Nick Gleason n.glea...@citysoft.comwrote: Hi Pete, I've been researching CSP and it sounds like a pretty cool option. But, I just wanted to follow up on this comment that you made below:-- it will also block inline scripts and style elements-- Are you saying that even if you have the self or default values in place, it will block a regular old script in your page? For instance, if you just have something like this:scriptCODE HERE/scriptThat will be a problem? Why? Hi Nick, Yes if you have the following: Content-Security-Policy: default-src 'self'; It will block any scriptcode here/script tags in your page, you can only use script src=/some/uri/script This is a recognized problem in CSP1.0 and CSP 1.1 is currently in development right now with two solutions for this use case, you can specify a nonce in the header, so you would do something like this: Content-Security-Policy: script-src 'self' 'nonce-random_string_123'; Then you can do this: script nonce=random_string_123code here/script You can do the same for inline style tags. See http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#nonce-usage-for-script-elements The second option in CSP1.1 is hash whitelisting, where you compute a hash of the script contents and put that in the header. See http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#hash-usage-for-script-elements -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357861 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
Hi Pete, I've been researching CSP and it sounds like a pretty cool option. But, I just wanted to follow up on this comment that you made below:-- it will also block inline scripts and style elements-- Are you saying that even if you have the self or default values in place, it will block a regular old script in your page? For instance, if you just have something like this:scriptCODE HERE/scriptThat will be a problem? Why? That seems like a pretty big issue since there are lots of legitimate reasons to have a javascript in a web page. I just want to make sure that I am understanding the situation. Thanks! Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357850 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
On Mon, Mar 3, 2014 at 5:11 PM, Nick Gleason n.glea...@citysoft.com wrote: Pete, Much appreciated. I guess where I'm being a bit of a dunce is that in your example, if a malicious url.query variable was passed in by a hacker, wouldn't the display only be available on that single request? And if I come to the same search form 2 minutes later and do a normal search, won't it be clean? I guess that, assuming we have no sql injection to the db, I don't see how that attack stays persistent (as it would possibly for a comment or forum post). Sorry to be over-simple on this. Hi Nick, It is not a persistent attack unless it gets saved to a DB somewhere, etc. But it is still considered harmful, for example if I send you a link that uses javascript to write a login form on the page that submits to my server... then that is not a good thing. Normal visitors can't parse a query string to recognize that it is rewriting the DOM, especially when they see HTTPS they expect that everything on the page is as you intended it. Or the attacker might simply grab cookies and use them to hijack the victim's session. These examples are a bit more targeted, they will probably effect every user of the site but the attacker can use the hole to eventually get the info they are after. Re: the content security policy, that looks very interesting. Watching a presentation on it now. One quick question. If we are using that on a site and then an admin comes in and uses an iframe widget from youtube to display a video on a page in the site, does that get filtered by CSP (and require an exception for youtube)? I gather that would need to be excepted in the frame-src header, right? Yes you would have to allow the youtube.com domain in your CSP header, eg: Content-Security-Policy: default-src 'self'; frame-src 'self' youtube.com; One thing to keep in mind with Content-Security-Policy is that when you enable it, it will also block inline scripts and style elements, you can override that using unsalfe-inline but then you also loose a lot of the benefits of CSP. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357846 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
will it all depends on several factors. how many forms do you have within your site that result in content being inserted into the database and then displayed on the page. If your CMS is the only place this happens and this is password protected then you can afford to be more flexible about what tags you allow. However relying on passwords alone is almost pointless these days unless you at the very least enforce some password strength, as your security is then only as strong as the person with the weakest password. You could consider some extra steps for any back end/cms system, such a restricting access by IP address, which is done at web server level. How you do this depends on how many users you have and if they have static IP's and if they are likley connect remotely from mobile devices etc. If you only have a small number of static IP's to allow, then do that. If adding specific IP's is bot viable, then use a VPN, and then just allow the IP of the VPN server, which will allow your users to connect from anywhere and any device as long as they have a vpn connection. The other other is 2 factor authentication. This is actually easier than it seems, take a look at google authenticator for a real simple solution. On Mon, Mar 3, 2014 at 4:12 AM, Nick Gleason n.glea...@citysoft.com wrote: Hi Russ, Yes, we can definitely turn these tags on and off. The challenge is that if we follow OWASP closely, then we shut off tags that clients genuinely need (e.g. iframe for youtube content). So, we're trying to figure out how to give clients adequate features without opening up too much risk. Of course, publishing is behind a login so there is that kind of restriction in place before you even get to an editor to publish. I'm curious how wordpress handles this issue. From the little research I have done, it seems that none of these tags (iframe, embed, object) are blocked by default in wordpress installations. I would think that would open them up to some risk, but perhaps having the editor behind a secure login mitigates the risk to a large extent. Thanks again! Nick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Friday, February 28, 2014 9:39 AM To: cf-talk Subject: Re: Best practices for xss security in CMS? with any decent editor including CKeditor and tinyMCE, you can specify down to a granular level which html tags and attributes are allowed/not allowed, just check the docs and there should be a config file somewhere in your CMS that instantiates the editor where you can modify these settings. So it is pretty easy to do as you need. It is also a good idea to restrict other tags to avoid numpty editors from just copying and pasting content which screws up the layout. On Fri, Feb 28, 2014 at 4:29 PM, Dave Watts dwa...@figleaf.com wrote: I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk
Re: Best practices for xss security in CMS?
Dave, this is an interesting idea which we haven't pursued yet. I don't have a clear sense of how the server configuration would work here. Would you have two separate db servers (one for authored content and one for published content) that would sync up? Or would you have an authoring infrastructure that would then generate more traditional static html? I'm just trying to get a sense of how the separation would work. It can vary, but it's usually pretty simple: an authoring environment and a production environment where content is published. This by itself really has nothing to do with preventing XSS on its face, but it prevents unauthorized users from being able to create content - the production environment simply has no way to allow users to create or edit content. These environments typically either share a database, or data is migrated automatically from one database to another. Of course, we still need to sanitize content prior to production, but we only have to worry about people with access to the physical network where the authoring environment lives. This is often a fairly small group, and hopefully a more trustworthy group. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357811 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
On Sun, Mar 2, 2014 at 11:21 PM, Nick Gleason n.glea...@citysoft.comwrote: Hi guys, Following up on this thread I have a related question - what are some examples of XSS scenarios other than comments and forum posts. Any other prominent risk scenarios for XSS? There are a lot of scenarios, essentially anywhere you output a variable that originated in some part from an external source. So for example, let's say you have a search form for your site with some code like this: cfoutputYour search for #url.query# returned #search.recordcount# results/cfoutput There is an XSS risk there because someone could create a link to /search.cfm?query=scriptalert('xss')/script (now if you try that example in a modern browser you will find that it might not actually work due to the builtin XSS protection in browsers, but the hole is there and there are ways to bypass the browsers xss protection). So basically any time you take a variable that comes from the user or some other untrusted source and output it, you have the potential for an XSS hole. Also you should checkout Content-Security-Policy headers this can help reduce XSS risks significantly on browsers that support it. See: http://content-security-policy.com/ for more info or come to my cf.Objective(2014) presentation :) -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357812 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS? - Related Question
Pete, Much appreciated. I guess where I'm being a bit of a dunce is that in your example, if a malicious url.query variable was passed in by a hacker, wouldn't the display only be available on that single request? And if I come to the same search form 2 minutes later and do a normal search, won't it be clean? I guess that, assuming we have no sql injection to the db, I don't see how that attack stays persistent (as it would possibly for a comment or forum post). Sorry to be over-simple on this. Re: the content security policy, that looks very interesting. Watching a presentation on it now. One quick question. If we are using that on a site and then an admin comes in and uses an iframe widget from youtube to display a video on a page in the site, does that get filtered by CSP (and require an exception for youtube)? I gather that would need to be excepted in the frame-src header, right? Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357813 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS?
You could manage the web.config ip filter via cf. You can also have the option to disable 2 factor authentication for a specific computer for 30 days which is a common option, using either a cookie or ip logging. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 3 Mar 2014 22:22, Nick Gleason n.glea...@citysoft.com wrote: Hi Russ, This is very interesting. In this case, we limit failed logins to a fairly small number before the login is disabled so in theory that would prevent dictionary style attacks, even against fairly weak logins. If you think that is flawed, let me know. We've discussed adding an IP filter, although I was thinking that we would try to do it within the application code rather than at the web server in case someone doesn't have access to the web server configuration. I suppose it could be done in web.config as well (on IIS), but it seems like it would be easier for client to manage to have the IP list within the user's record. It would be nice if we could essentially ban all foreign IPs from admin access (when it made sense for a client), but when researching that a while back it seemed a little tricky. With google style 2 factor authentication, I get the idea of requesting a numeric code in a text message - that doesn't sound terribly complicated. But, I'm sure that people would want to elect to stay logged in on this computer and I'm not clear on how best to manage that. Thanks again. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357815 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS?
Hi Russ, This is very interesting. In this case, we limit failed logins to a fairly small number before the login is disabled so in theory that would prevent dictionary style attacks, even against fairly weak logins. If you think that is flawed, let me know. We've discussed adding an IP filter, although I was thinking that we would try to do it within the application code rather than at the web server in case someone doesn't have access to the web server configuration. I suppose it could be done in web.config as well (on IIS), but it seems like it would be easier for client to manage to have the IP list within the user's record. It would be nice if we could essentially ban all foreign IPs from admin access (when it made sense for a client), but when researching that a while back it seemed a little tricky. With google style 2 factor authentication, I get the idea of requesting a numeric code in a text message - that doesn't sound terribly complicated. But, I'm sure that people would want to elect to stay logged in on this computer and I'm not clear on how best to manage that. Thanks again. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357814 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
Nick you are correct, strictly speaking. That simple example is harmless, it runs only one time and is 'visible' only to the single client. Consider what happens if the payload that is executed is nowhere nearly as benign. At that point, code of some kind is being executed on your server that does something you don't intend, and regardless of the fact it only executes once, it could make all sorts of mischief depending on its level of sophistication. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357816 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
To clarify, I was oversimplifying above when I said 'code is being executed on your server'. Pete's script example would of course need to link up with some other vulnerability for that to happen (i.e. an unpatched exploit of some kind). Since you can't predict such things, you minimize the number of liberties someone can take with your server's tender innocence. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357817 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS?
Hi Guys, thanks for all the responses - much appreciated. Dave, this is an interesting idea which we haven't pursued yet. I don't have a clear sense of how the server configuration would work here. Would you have two separate db servers (one for authored content and one for published content) that would sync up? Or would you have an authoring infrastructure that would then generate more traditional static html? I'm just trying to get a sense of how the separation would work. N -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Friday, February 28, 2014 8:29 AM To: cf-talk Subject: Re: Best practices for xss security in CMS? I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357805 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS?
Hi Russ, Yes, we can definitely turn these tags on and off. The challenge is that if we follow OWASP closely, then we shut off tags that clients genuinely need (e.g. iframe for youtube content). So, we're trying to figure out how to give clients adequate features without opening up too much risk. Of course, publishing is behind a login so there is that kind of restriction in place before you even get to an editor to publish. I'm curious how wordpress handles this issue. From the little research I have done, it seems that none of these tags (iframe, embed, object) are blocked by default in wordpress installations. I would think that would open them up to some risk, but perhaps having the editor behind a secure login mitigates the risk to a large extent. Thanks again! Nick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Friday, February 28, 2014 9:39 AM To: cf-talk Subject: Re: Best practices for xss security in CMS? with any decent editor including CKeditor and tinyMCE, you can specify down to a granular level which html tags and attributes are allowed/not allowed, just check the docs and there should be a config file somewhere in your CMS that instantiates the editor where you can modify these settings. So it is pretty easy to do as you need. It is also a good idea to restrict other tags to avoid numpty editors from just copying and pasting content which screws up the layout. On Fri, Feb 28, 2014 at 4:29 PM, Dave Watts dwa...@figleaf.com wrote: I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357806 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS?
Right now we are using a combination of portcullis plus home grown filters within the application as well within the web server (which we control). We would definitely consider looking at Fuseguard as well (but haven't yet). N -Original Message- From: Adam Cameron [mailto:dacc...@gmail.com] Sent: Friday, February 28, 2014 11:10 AM To: cf-talk Subject: Re: Best practices for xss security in CMS? Sorry, I only read as far as disabling Javascript and was commenting on that. The fact remains that anything done *clientside* is not reliable. It seems we're not disagreeing there, Certainly having a WAF is borderline essential on anything other than a trivial site. I'm not entirely sure doing @ CF level is the correct place to do it, but that's an aside. Sorry for confusion. -- Adam On 1 March 2014 07:59, Russ Michaels r...@michaels.me.uk wrote: I disagree 100% scanning All form fields globally for any dodgy content is the complete opposite of narrow sighted, it is a much more efficient way to make sure nothing gets through rather than instead trying to do these checks in multiple different places and potentially missing one. On Fri, Feb 28, 2014 at 6:56 PM, Adam Cameron dacc...@gmail.com wrote: That's a bit narrow-sighted. Hackers don't disable JS to bypass clientside pre-validation, they just post the form directly. Often the server code is not coded in such a way to be aware how a post is made (via a legit form, or just by a POST request). *Always* consider client-side pre-validation a nice to have and really more a UX (hey, you malformed that phone number, wanna try again? sort of thing) consideration than actual validation. And *always *do validation on the server. -- Adam On 1 March 2014 07:44, Russ Michaels r...@michaels.me.uk wrote: although these days if a user has javascript disabled they wont be able to use the cms at all as it is a requirement for the editor and all the AJAXy stuff. but what you can do, is apply filtering to all form fields at a global level, so any form submission any page will have anything dodgy removed. I believe FuseGuard will do this for you. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357807 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS?
Hi Adam, Can you tell me a little more about what you mean by coding in order to prevent posting directly to a form and bypassing validation? Nick -Original Message- From: Adam Cameron [mailto:dacc...@gmail.com] Sent: Friday, February 28, 2014 10:56 AM To: cf-talk Subject: Re: Best practices for xss security in CMS? That's a bit narrow-sighted. Hackers don't disable JS to bypass clientside pre-validation, they just post the form directly. Often the server code is not coded in such a way to be aware how a post is made (via a legit form, or just by a POST request). *Always* consider client-side pre-validation a nice to have and really more a UX (hey, you malformed that phone number, wanna try again? sort of thing) consideration than actual validation. And *always *do validation on the server. -- Adam On 1 March 2014 07:44, Russ Michaels r...@michaels.me.uk wrote: although these days if a user has javascript disabled they wont be able to use the cms at all as it is a requirement for the editor and all the AJAXy stuff. but what you can do, is apply filtering to all form fields at a global level, so any form submission any page will have anything dodgy removed. I believe FuseGuard will do this for you. On Fri, Feb 28, 2014 at 6:34 PM, Adam Cameron dacc...@gmail.com wrote: Also bear in mind that is only half the work. Whatever pre-validation or UX tweaks one does on the client, one still needs to do the actual validation on the server too. On 1 March 2014 06:38, Russ Michaels r...@michaels.me.uk wrote: with any decent editor including CKeditor and tinyMCE, you can specify down to a granular level which html tags and attributes are allowed/not allowed, just check the docs and there should be a config file somewhere in your CMS that instantiates the editor where you can modify these settings. So it is pretty easy to do as you need. It is also a good idea to restrict other tags to avoid numpty editors from just copying and pasting content which screws up the layout. On Fri, Feb 28, 2014 at 4:29 PM, Dave Watts dwa...@figleaf.com wrote: I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357808 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS? - Related Question
Hi guys, Following up on this thread I have a related question - what are some examples of XSS scenarios other than comments and forum posts. As I have researched the topic, it seems like a lot of the XSS examples given relate to users posting to comments and forums. That's good to understand but is not a prominent part of our system at the moment. So, I'm hoping to get some other scenarios / examples where there may be risk. Many of our forms submit data but don't necessarily display back to other users the way that comments would. Any other prominent risk scenarios for XSS? N -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Friday, February 28, 2014 11:58 AM To: cf-talk Subject: Re: Best practices for xss security in CMS? tsk, not reading properly before replying is very naughty, I will set Charlie Arehart on you. I am quite confident that fuseguard would do a better job than a generic WAF on a CF site, and anyone of shared hosting wont really have the option to do a server wide solution. but certainly if you use multiple technologies on your server then I agree that a generic WAF would be the better way to go, and there are some IIS modules I which you can enable just on your own site using the web.config (helicon do this), so don't need server access, apache is probably the same. On Fri, Feb 28, 2014 at 7:10 PM, Adam Cameron dacc...@gmail.com wrote: Sorry, I only read as far as disabling Javascript and was commenting on that. The fact remains that anything done *clientside* is not reliable. It seems we're not disagreeing there, Certainly having a WAF is borderline essential on anything other than a trivial site. I'm not entirely sure doing @ CF level is the correct place to do it, but that's an aside. Sorry for confusion. -- Adam On 1 March 2014 07:59, Russ Michaels r...@michaels.me.uk wrote: I disagree 100% scanning All form fields globally for any dodgy content is the complete opposite of narrow sighted, it is a much more efficient way to make sure nothing gets through rather than instead trying to do these checks in multiple different places and potentially missing one. On Fri, Feb 28, 2014 at 6:56 PM, Adam Cameron dacc...@gmail.com wrote: That's a bit narrow-sighted. Hackers don't disable JS to bypass clientside pre-validation, they just post the form directly. Often the server code is not coded in such a way to be aware how a post is made (via a legit form, or just by a POST request). *Always* consider client-side pre-validation a nice to have and really more a UX (hey, you malformed that phone number, wanna try again? sort of thing) consideration than actual validation. And *always *do validation on the server. -- Adam On 1 March 2014 07:44, Russ Michaels r...@michaels.me.uk wrote: although these days if a user has javascript disabled they wont be able to use the cms at all as it is a requirement for the editor and all the AJAXy stuff. but what you can do, is apply filtering to all form fields at a global level, so any form submission any page will have anything dodgy removed. I believe FuseGuard will do this for you. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357809 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357797 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
with any decent editor including CKeditor and tinyMCE, you can specify down to a granular level which html tags and attributes are allowed/not allowed, just check the docs and there should be a config file somewhere in your CMS that instantiates the editor where you can modify these settings. So it is pretty easy to do as you need. It is also a good idea to restrict other tags to avoid numpty editors from just copying and pasting content which screws up the layout. On Fri, Feb 28, 2014 at 4:29 PM, Dave Watts dwa...@figleaf.com wrote: I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357798 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
Also bear in mind that is only half the work. Whatever pre-validation or UX tweaks one does on the client, one still needs to do the actual validation on the server too. On 1 March 2014 06:38, Russ Michaels r...@michaels.me.uk wrote: with any decent editor including CKeditor and tinyMCE, you can specify down to a granular level which html tags and attributes are allowed/not allowed, just check the docs and there should be a config file somewhere in your CMS that instantiates the editor where you can modify these settings. So it is pretty easy to do as you need. It is also a good idea to restrict other tags to avoid numpty editors from just copying and pasting content which screws up the layout. On Fri, Feb 28, 2014 at 4:29 PM, Dave Watts dwa...@figleaf.com wrote: I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357799 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
although these days if a user has javascript disabled they wont be able to use the cms at all as it is a requirement for the editor and all the AJAXy stuff. but what you can do, is apply filtering to all form fields at a global level, so any form submission any page will have anything dodgy removed. I believe FuseGuard will do this for you. On Fri, Feb 28, 2014 at 6:34 PM, Adam Cameron dacc...@gmail.com wrote: Also bear in mind that is only half the work. Whatever pre-validation or UX tweaks one does on the client, one still needs to do the actual validation on the server too. On 1 March 2014 06:38, Russ Michaels r...@michaels.me.uk wrote: with any decent editor including CKeditor and tinyMCE, you can specify down to a granular level which html tags and attributes are allowed/not allowed, just check the docs and there should be a config file somewhere in your CMS that instantiates the editor where you can modify these settings. So it is pretty easy to do as you need. It is also a good idea to restrict other tags to avoid numpty editors from just copying and pasting content which screws up the layout. On Fri, Feb 28, 2014 at 4:29 PM, Dave Watts dwa...@figleaf.com wrote: I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357800 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
That's a bit narrow-sighted. Hackers don't disable JS to bypass clientside pre-validation, they just post the form directly. Often the server code is not coded in such a way to be aware how a post is made (via a legit form, or just by a POST request). *Always* consider client-side pre-validation a nice to have and really more a UX (hey, you malformed that phone number, wanna try again? sort of thing) consideration than actual validation. And *always *do validation on the server. -- Adam On 1 March 2014 07:44, Russ Michaels r...@michaels.me.uk wrote: although these days if a user has javascript disabled they wont be able to use the cms at all as it is a requirement for the editor and all the AJAXy stuff. but what you can do, is apply filtering to all form fields at a global level, so any form submission any page will have anything dodgy removed. I believe FuseGuard will do this for you. On Fri, Feb 28, 2014 at 6:34 PM, Adam Cameron dacc...@gmail.com wrote: Also bear in mind that is only half the work. Whatever pre-validation or UX tweaks one does on the client, one still needs to do the actual validation on the server too. On 1 March 2014 06:38, Russ Michaels r...@michaels.me.uk wrote: with any decent editor including CKeditor and tinyMCE, you can specify down to a granular level which html tags and attributes are allowed/not allowed, just check the docs and there should be a config file somewhere in your CMS that instantiates the editor where you can modify these settings. So it is pretty easy to do as you need. It is also a good idea to restrict other tags to avoid numpty editors from just copying and pasting content which screws up the layout. On Fri, Feb 28, 2014 at 4:29 PM, Dave Watts dwa...@figleaf.com wrote: I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357801 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
I disagree 100% scanning All form fields globally for any dodgy content is the complete opposite of narrow sighted, it is a much more efficient way to make sure nothing gets through rather than instead trying to do these checks in multiple different places and potentially missing one. On Fri, Feb 28, 2014 at 6:56 PM, Adam Cameron dacc...@gmail.com wrote: That's a bit narrow-sighted. Hackers don't disable JS to bypass clientside pre-validation, they just post the form directly. Often the server code is not coded in such a way to be aware how a post is made (via a legit form, or just by a POST request). *Always* consider client-side pre-validation a nice to have and really more a UX (hey, you malformed that phone number, wanna try again? sort of thing) consideration than actual validation. And *always *do validation on the server. -- Adam On 1 March 2014 07:44, Russ Michaels r...@michaels.me.uk wrote: although these days if a user has javascript disabled they wont be able to use the cms at all as it is a requirement for the editor and all the AJAXy stuff. but what you can do, is apply filtering to all form fields at a global level, so any form submission any page will have anything dodgy removed. I believe FuseGuard will do this for you. On Fri, Feb 28, 2014 at 6:34 PM, Adam Cameron dacc...@gmail.com wrote: Also bear in mind that is only half the work. Whatever pre-validation or UX tweaks one does on the client, one still needs to do the actual validation on the server too. On 1 March 2014 06:38, Russ Michaels r...@michaels.me.uk wrote: with any decent editor including CKeditor and tinyMCE, you can specify down to a granular level which html tags and attributes are allowed/not allowed, just check the docs and there should be a config file somewhere in your CMS that instantiates the editor where you can modify these settings. So it is pretty easy to do as you need. It is also a good idea to restrict other tags to avoid numpty editors from just copying and pasting content which screws up the layout. On Fri, Feb 28, 2014 at 4:29 PM, Dave Watts dwa...@figleaf.com wrote: I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357802 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
Sorry, I only read as far as disabling Javascript and was commenting on that. The fact remains that anything done *clientside* is not reliable. It seems we're not disagreeing there, Certainly having a WAF is borderline essential on anything other than a trivial site. I'm not entirely sure doing @ CF level is the correct place to do it, but that's an aside. Sorry for confusion. -- Adam On 1 March 2014 07:59, Russ Michaels r...@michaels.me.uk wrote: I disagree 100% scanning All form fields globally for any dodgy content is the complete opposite of narrow sighted, it is a much more efficient way to make sure nothing gets through rather than instead trying to do these checks in multiple different places and potentially missing one. On Fri, Feb 28, 2014 at 6:56 PM, Adam Cameron dacc...@gmail.com wrote: That's a bit narrow-sighted. Hackers don't disable JS to bypass clientside pre-validation, they just post the form directly. Often the server code is not coded in such a way to be aware how a post is made (via a legit form, or just by a POST request). *Always* consider client-side pre-validation a nice to have and really more a UX (hey, you malformed that phone number, wanna try again? sort of thing) consideration than actual validation. And *always *do validation on the server. -- Adam On 1 March 2014 07:44, Russ Michaels r...@michaels.me.uk wrote: although these days if a user has javascript disabled they wont be able to use the cms at all as it is a requirement for the editor and all the AJAXy stuff. but what you can do, is apply filtering to all form fields at a global level, so any form submission any page will have anything dodgy removed. I believe FuseGuard will do this for you. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357803 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
tsk, not reading properly before replying is very naughty, I will set Charlie Arehart on you. I am quite confident that fuseguard would do a better job than a generic WAF on a CF site, and anyone of shared hosting wont really have the option to do a server wide solution. but certainly if you use multiple technologies on your server then I agree that a generic WAF would be the better way to go, and there are some IIS modules I which you can enable just on your own site using the web.config (helicon do this), so don't need server access, apache is probably the same. On Fri, Feb 28, 2014 at 7:10 PM, Adam Cameron dacc...@gmail.com wrote: Sorry, I only read as far as disabling Javascript and was commenting on that. The fact remains that anything done *clientside* is not reliable. It seems we're not disagreeing there, Certainly having a WAF is borderline essential on anything other than a trivial site. I'm not entirely sure doing @ CF level is the correct place to do it, but that's an aside. Sorry for confusion. -- Adam On 1 March 2014 07:59, Russ Michaels r...@michaels.me.uk wrote: I disagree 100% scanning All form fields globally for any dodgy content is the complete opposite of narrow sighted, it is a much more efficient way to make sure nothing gets through rather than instead trying to do these checks in multiple different places and potentially missing one. On Fri, Feb 28, 2014 at 6:56 PM, Adam Cameron dacc...@gmail.com wrote: That's a bit narrow-sighted. Hackers don't disable JS to bypass clientside pre-validation, they just post the form directly. Often the server code is not coded in such a way to be aware how a post is made (via a legit form, or just by a POST request). *Always* consider client-side pre-validation a nice to have and really more a UX (hey, you malformed that phone number, wanna try again? sort of thing) consideration than actual validation. And *always *do validation on the server. -- Adam On 1 March 2014 07:44, Russ Michaels r...@michaels.me.uk wrote: although these days if a user has javascript disabled they wont be able to use the cms at all as it is a requirement for the editor and all the AJAXy stuff. but what you can do, is apply filtering to all form fields at a global level, so any form submission any page will have anything dodgy removed. I believe FuseGuard will do this for you. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357804 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
Hi Nick, It is tricky to handle HTML content while avoiding XSS, there are a two tools I'm aware of that can help you here: 1) scrubHTML() - This is one I built in pure CFML and I think it is pretty easy to build a whitelist of allowed html using it: https://github.com/foundeo/cfml-security it will use your whitelist and only allow HTML tags and attributes that you allow to come out the other end, anything not matching the whitelist is removed. 2) AntiSamy - written in java, widely used, but its policy files can be tricky to work with, example using it with CFML: http://www.petefreitag.com/item/760.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Feb 19, 2014 at 11:08 PM, Nick Gleason n.glea...@citysoft.comwrote: Hi All, I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. Thanks in advance! Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357715 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS?
Thanks very much Pete. We have implemented Portcullis among other things and that will also block tags like the ones mentioned. I think that may be similar to the ones that you mention. I expect that Fuseguard has something similar. I guess my follow up question may have to be with what kind of policy to create. Blocking those tags 100% of the time feels draconian. Blocking them 0% of the time feels risky. I expect that we need to develop rules for allowing some people (e.g. web master, super user, etc.) to use them while perhaps blocking others. Does anyone on this list have experience with how to make those trade-offs effectively? Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357716 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Best practices for xss security in CMS?
Hi All, I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. Thanks in advance! Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357710 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices
And, IMO, there's a point too often overlooked: commenting and style (as in indenting code and naming stuff). I've sometimes been weak about comments in my code - but I'm trying to do better. I have trouble remembering what I was trying to do when I revisit code after a few months, let alone looking at someone else's code. And while I'll buy that some code is self-documenting I don't buy that on a much grander scale than a half-dozen lines or so. I am insistent that and code written for my department be properly indented and that includes javascript (and I don't mean online libraries). I'm willing to give up the fractional difference in load or execution time for code I can decipher without developing ulcers. I recently had to help with some code with really outlandish variable and field names. cfset mawkishbbt = GNOME.barakish (not really, but a good paraphrase) Name stuff so the next person that looks at the code has a clue what you're doing. -Original Message- From: Maureen [mailto:mamamaur...@gmail.com] Sent: Wednesday, June 20, 2012 6:18 PM To: cf-talk Subject: Re: Best practices If I wrap a large amount of code in cfoutput tags, I always comment the starting and ending tags to describe what they wrap. It makes it easier to match them when debugging. On Wed, Jun 20, 2012 at 3:05 PM, Rob Voyle robvo...@voyle.com wrote: Hi folks Thanks for the input and help. I had not been thinking in terms of speed but of accuracy, which doesn't seem to be an issue. The page isn't that big that speed is going to be a problem. It is actually much easier to code without the output as I have several paragraphs with variable scattered throughout. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351630 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re[2]: Best practices
I assume the GNOME scope is only used for really short variables, yes? (sorry, I just couldn't resist) :) -- Cheers! Michael David -- Original Message -- From: Stephens, Larry V steph...@iu.edu To: cf-talk cf-talk@houseoffusion.com Sent: 6/21/2012 9:26:48 AM Subject: RE: Best practices And, IMO, there's a point too often overlooked: commenting and style (as in indenting code and naming stuff). I've sometimes been weak about comments in my code - but I'm trying to do better. I have trouble remembering what I was trying to do when I revisit code after a few months, let alone looking at someone else's code. And while I'll buy that some code is self-documenting I don't buy that on a much grander scale than a half-dozen lines or so. I am insistent that and code written for my department be properly indented and that includes javascript (and I don't mean online libraries). I'm willing to give up the fractional difference in load or execution time for code I can decipher without developing ulcers. I recently had to help with some code with really outlandish variable and field names. cfset mawkishbbt = GNOME.barakish (not really, but a good paraphrase) Name stuff so the next person that looks at the code has a clue what you're doing. -Original Message- From: Maureen [mailto: mamamaur...@gmail.com ] Sent: Wednesday, June 20, 2012 6:18 PM To: cf-talk Subject: Re: Best practices If I wrap a large amount of code in cfoutput tags, I always comment the starting and ending tags to describe what they wrap. It makes it easier to match them when debugging. On Wed, Jun 20, 2012 at 3:05 PM, Rob Voyle robvo...@voyle.com wrote: Hi folks Thanks for the input and help. I had not been thinking in terms of speed but of accuracy, which doesn't seem to be an issue. The page isn't that big that speed is going to be a problem. It is actually much easier to code without the output as I have several paragraphs with variable scattered throughout. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351631 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
I recently had to help with some code with really outlandish variable and field names. cfset mawkishbbt = GNOME.barakish (not really, but a good paraphrase) I've been telling this story to students for I guess around ten years now. I've done quite a bit of work reviewing other people's apps, and suggesting improvements or fixing problems, etc. Once, I was hired by a company, that in the peak craziness of the dotcom era had bought some sort of forum for developers - kind of like StackOverflow in concept. Anyway, it was having performance and scaling problems once people actually started using it, and that's why they hired me. The app had been developed by a single person, who I was told lived in a shack in the woods and was very hard to reach, so I was never able to talk to him. Anyway, all the variables throughout the program were named after characters from The Lion King. Of course, the program had nothing to do with the movie, I guess when you live in a shack in the woods writing code this is the kind of thing you do. I ended up having to write a cast of characters which mapped to what the variables actually did: Application.Simba - number of logged-in users ... I reported all this to the client, of course, but I don't know if the developer ever suffered any negative repercussions - other than being the butt of my jokes in the hundreds of CF classes I've taught since. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or ons ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351632 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
I recently had to help with some code with really outlandish variable and field names. cfset mawkishbbt = GNOME.barakish (not really, but a good paraphrase) That reminds me of my days writing vScript for the Virtual Advanced BBS (way back in 1995) where all of the variables were predefined based on letters and numbers, so: a0, a1 ... z8, z9. Talk about torture... and you'd better not need more than 260 of them in any one script either. Shudder. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351639 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
Even worse is when they copy code directly from tutorials and have names like myTable, myQuery, myForm, foo and bar. On Thu, Jun 21, 2012 at 9:08 AM, Justin Scott leviat...@darktech.org wrote: That reminds me of my days writing vScript for the Virtual Advanced BBS (way back in 1995) where all of the variables were predefined based on letters and numbers, so: a0, a1 ... z8, z9. Talk about torture... and you'd better not need more than 260 of them in any one script either. Shudd ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351647 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
Everything between cfoutput tags needs to be parsed. So a big page would slow performance, by how much is prob negligible but worth testing to find out. If there are only a few vars in the whole page then only putting the cfoutput where needed will speed things up. Depends how important those milliseconds are to you. Regards Russ Michaels On Jun 20, 2012 2:52 AM, Nathan Strutz str...@gmail.com wrote: Matt's dead on. It really doesn't matter very much, anymore. It's a style preference. That said, I would add that style is very important! The ability to scan a file and know what it's doing without guessing is an important thing. Having templates that match and create a cohesive feeling application is also important. With that, I'd say wrapping entire templates is ok so long as you don't force a lot of double-## escaping characters, because that looks ugly. Try to keep CFML out of your javascript except where it's necessary, because that looks ugly. Same for stylesheets, because ID selectors get double-hash marks, which removes you from your context. nathan strutz [www.dopefly.com] [hi.im/nathanstrutz] [about.me/nathanstrutz] On Tue, Jun 19, 2012 at 4:25 PM, Matt Quackenbush quackfu...@gmail.com wrote: Years ago it was much more performant to use the single tag wrapped around everything. Nowadays it is kinda more about personal preference than performance. HTH Sent from my Samsung Galaxy SII On Jun 19, 2012 6:20 PM, Rob Voyle robvo...@voyle.com wrote: Hi Folks I am wondering what is considered best practices for the cfoutput tag I have a large page many tables, paragraphs etc. that has text and a series of variables scattered thru it. The simplest coding is to put a cfoutput at the begining and a /cfoutput at the end and us #variable# thru the page or should I use a separate cfoutput#variable#/cfoutput for each new variable. Thanks Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351621 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
Everything between cfoutput tags needs to be parsed. So a big page would slow performance, by how much is prob negligible but worth testing to find out. Remember that this would only be a hit once each time the file was changed, as once it's compiled down to bytecode it doesn't have to be parsed again. Back in the CF5 days the code was parsed with each page view, but that hasn't been the case since CFMX 6. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351623 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
Everything between cfoutput tags needs to be parsed. So a big page would slow performance, by how much is prob negligible but worth testing to find out. Remember that this would only be a hit once each time the file was changed, as once it's compiled down to bytecode it doesn't have to be parsed again. Back in the CF5 days the code was parsed with each page view, but that hasn't been the case since CFMX 6. While the general statement you made about bytecode is true, the conclusion you draw from it is one that I'd be reluctant to make without load testing. CF still has to substitute values for expressions in your CFOUTPUT blocks, and we don't know whether the cost of multiple CFOUTPUTs vs single, larger CFOUTPUTs is a compilation cost or an execution cost. At least, I don't know, and I've never seen any real evidence one way or the other. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351625 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
While the general statement you made about bytecode is true, the conclusion you draw from it is one that I'd be reluctant to make without load testing. Indeed, I had this debate with someone a few years ago and we beat a server into the ground for a few hours with both scenarios and the results were essentially the same either way. I don't have the exact numbers anymore, but it was along the lines of a difference of less than 10ms when the results of millions of iterations were averaged out (that was on ColdFusion 8 Enterprise on a Dell PowerEdge 2850 server if memory serves). I remember this being a big deal back in 1999 under CF4, but in current versions it doesn't appear to matter from a performance standpoint which cfoutput approach is used. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351626 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
Hi folks Thanks for the input and help. I had not been thinking in terms of speed but of accuracy, which doesn't seem to be an issue. The page isn't that big that speed is going to be a problem. It is actually much easier to code without the output as I have several paragraphs with variable scattered throughout. Thanks Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351627 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
If I wrap a large amount of code in cfoutput tags, I always comment the starting and ending tags to describe what they wrap. It makes it easier to match them when debugging. On Wed, Jun 20, 2012 at 3:05 PM, Rob Voyle robvo...@voyle.com wrote: Hi folks Thanks for the input and help. I had not been thinking in terms of speed but of accuracy, which doesn't seem to be an issue. The page isn't that big that speed is going to be a problem. It is actually much easier to code without the output as I have several paragraphs with variable scattered throughout. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351628 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Best practices
Hi Folks I am wondering what is considered best practices for the cfoutput tag I have a large page many tables, paragraphs etc. that has text and a series of variables scattered thru it. The simplest coding is to put a cfoutput at the begining and a /cfoutput at the end and us #variable# thru the page or should I use a separate cfoutput#variable#/cfoutput for each new variable. Thanks Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351617 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
Years ago it was much more performant to use the single tag wrapped around everything. Nowadays it is kinda more about personal preference than performance. HTH Sent from my Samsung Galaxy SII On Jun 19, 2012 6:20 PM, Rob Voyle robvo...@voyle.com wrote: Hi Folks I am wondering what is considered best practices for the cfoutput tag I have a large page many tables, paragraphs etc. that has text and a series of variables scattered thru it. The simplest coding is to put a cfoutput at the begining and a /cfoutput at the end and us #variable# thru the page or should I use a separate cfoutput#variable#/cfoutput for each new variable. Thanks Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351618 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
If you use cfsetting show output only (cant recall attribute) You have to wrap html in cfoutput tags On Jun 20, 2012 7:20 AM, Rob Voyle robvo...@voyle.com wrote: Hi Folks I am wondering what is considered best practices for the cfoutput tag I have a large page many tables, paragraphs etc. that has text and a series of variables scattered thru it. The simplest coding is to put a cfoutput at the begining and a /cfoutput at the end and us #variable# thru the page or should I use a separate cfoutput#variable#/cfoutput for each new variable. Thanks Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351619 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
Matt's dead on. It really doesn't matter very much, anymore. It's a style preference. That said, I would add that style is very important! The ability to scan a file and know what it's doing without guessing is an important thing. Having templates that match and create a cohesive feeling application is also important. With that, I'd say wrapping entire templates is ok so long as you don't force a lot of double-## escaping characters, because that looks ugly. Try to keep CFML out of your javascript except where it's necessary, because that looks ugly. Same for stylesheets, because ID selectors get double-hash marks, which removes you from your context. nathan strutz [www.dopefly.com] [hi.im/nathanstrutz] [about.me/nathanstrutz] On Tue, Jun 19, 2012 at 4:25 PM, Matt Quackenbush quackfu...@gmail.comwrote: Years ago it was much more performant to use the single tag wrapped around everything. Nowadays it is kinda more about personal preference than performance. HTH Sent from my Samsung Galaxy SII On Jun 19, 2012 6:20 PM, Rob Voyle robvo...@voyle.com wrote: Hi Folks I am wondering what is considered best practices for the cfoutput tag I have a large page many tables, paragraphs etc. that has text and a series of variables scattered thru it. The simplest coding is to put a cfoutput at the begining and a /cfoutput at the end and us #variable# thru the page or should I use a separate cfoutput#variable#/cfoutput for each new variable. Thanks Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351620 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices: Google mapping
Is that Jason Dean format? On Thu, Dec 15, 2011 at 2:36 PM, Larry Lyons larrycly...@gmail.com wrote: My iPad has a completely different idea of my typing. (Its becoming typecast actually) I meant to say you may want to try the jquery google maps plugin. It accepts json. http://code.google.com/p/jquery-ui-map/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349235 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices: Google mapping
You can try my CFGMap project on RIAForge. Should be well documented, but you're welcome to ask questions off list. http://cfgmap.riaforge.org/ Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer http://cutterscrossing.com Co-Author Learning Ext JS 3.2 Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book The best way to predict the future is to help create it On 12/14/2011 5:19 PM, Jeff Gladnick wrote: Is there a current state of the art for dealing with Google maps and coldfusion, especially asynchronously. I've used cf_googlemap extensively in the past, but has anything eclipsed it? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349163 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices: Google mapping
I've got a few blog entries on using Google Maps w/ CF outside of CFMAP as well. On Wed, Dec 14, 2011 at 4:19 PM, Jeff Gladnick jeff.gladn...@gmail.com wrote: Is there a current state of the art for dealing with Google maps and coldfusion, especially asynchronously. I've used cf_googlemap extensively in the past, but has anything eclipsed it? -- === Raymond Camden, Adobe Developer Evangelist Email : raymondcam...@gmail.com Blog : www.raymondcamden.com Twitter: cfjedimaste ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349164 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices: Google mapping
Is there a current state of the art for dealing with Google maps and coldfusion, especially asynchronously. I've used cf_googlemap extensively in the past, but has anything eclipsed it? You could try the google maps jQuert plugin. One of the options is accepting Jason input. http://code.google.com/p/jquery-ui-map/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349172 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices: Google mapping
Is that Jason Dean format? On Thu, Dec 15, 2011 at 2:36 PM, Larry Lyons larrycly...@gmail.com wrote: Is there a current state of the art for dealing with Google maps and coldfusion, especially asynchronously. I've used cf_googlemap extensively in the past, but has anything eclipsed it? You could try the google maps jQuert plugin. One of the options is accepting Jason input. http://code.google.com/p/jquery-ui-map/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349173 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Best practices: Google mapping
Is there a current state of the art for dealing with Google maps and coldfusion, especially asynchronously. I've used cf_googlemap extensively in the past, but has anything eclipsed it? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349152 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Upgrading ColdFusion from MX 7 to 9 - Any Advice, Guidance, Best Practices, Etc?
Fellow CF Zealots: I'm in the process of having a new dedicated server being built by Hosting.com (formerly HostMySite.com) that will be running, among other things, ColdFusion 9. Once the build is completed in the next couple days, I will be systematically moving a few dozen websites from the existing box running CF MX 7 to the new box running CF 9. I'm looking for any type of input or feedback regarding any gotchas, pitfalls, etc. that I should be aware of during the upgrade. Also, does anyone have any type of best practices document, upgrade guide or whitepaper that I could review? Any help would be greatly appreciated; thank you so very much in advance! Sincerely, Christian N. Abad - President Accessible Computing, Inc. 1210 McLaughlin Drive Charlotte, NC 28212 http://www.AccessibleComputing.com 704.900.1825 (Direct Line) li...@accessiblecomputing.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339078 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Upgrading ColdFusion from MX 7 to 9 - Any Advice, Guidance, Best Practices, Etc?
Make sure you have all the hotfixes and updates installed, there were a few things that got screwed with CF9 functionality wise that have since been fixed plus some security issues as well. Other than that I think you will be pretty safe, we have not had any issues moving customers to CF9. Regards -- Russ Michaels www.cfmldeveloper.com - free CFML hosting for developers my blog: http://russ.michaels.me.uk/ skype: russmichaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339079 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Upgrading ColdFusion from MX 7 to 9 - Any Advice, Guidance, Best Practices, Etc?
Josh Adams recently posted a collection of information on the topic. http://blog.joshuaadams.com/index.cfm/2010/11/2/Upgrading-from-ColdFusion-MX-7-or-ColdFusion-8-to-ColdFusion-9 http://blog.joshuaadams.com/index.cfm/2010/11/2/Upgrading-from-ColdFusion-MX-7-or-ColdFusion-8-to-ColdFusion-9 -Adam On Wed, Nov 10, 2010 at 10:47 AM, Russ Michaels r...@michaels.me.uk wrote: Make sure you have all the hotfixes and updates installed, there were a few things that got screwed with CF9 functionality wise that have since been fixed plus some security issues as well. Other than that I think you will be pretty safe, we have not had any issues moving customers to CF9. Regards -- Russ Michaels www.cfmldeveloper.com - free CFML hosting for developers my blog: http://russ.michaels.me.uk/ skype: russmichaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339089 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Upgrading ColdFusion from MX 7 to 9 - Any Advice, Guidance, Best Practices, Etc?
On Wed, Nov 10, 2010 at 7:32 AM, Christian N. Abad li...@accessiblecomputing.com wrote: I'm in the process of having a new dedicated server being built by Hosting.com (formerly HostMySite.com) that will be running, among other things, ColdFusion 9. Once the build is completed in the next couple days, I will be systematically moving a few dozen websites from the existing box running CF MX 7 to the new box running CF 9. One thing you'll notice is that CF9 is dramatically faster than CFMX7! -- Sean A Corfield -- (904) 302-SEAN Railo Technologies, Inc. -- http://getrailo.com/ An Architect's View -- http://corfield.org/ If you're not annoying somebody, you're not really alive. -- Margaret Atwoo ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339102 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Git, CF and best practices
Thank you all for the information. I will be reading a lot and trying to make the best decision! On Tue, Aug 31, 2010 at 12:24 AM, Kym Kovan dev-li...@mbcomms.net.auwrote: On 31/08/2010 11:16, Mallory Woods wrote: I just started looking a git to use for source control for our CF projects. I wanted to ask those who are using it a few questions. git is a distributed version control system so having a central repository is fine for later, completed versions but it might be worth considering having a local repo for each developer so that they can save and version control internally and then when they are happy with their current work snippet push that back to a common/shared repo. That way you get some independence otherwise you are not doing much more than what svn does. Also you might consider looking at mercurial rather than git as it has a better fit with Windows machines. For example here we use Mercurial and every developer has a local set of repos on their workstation which they work with and when they have finished code synchronise from that back to a central repo where they can share their work with others. We actually have several central repos for test/stage levels of goodness of code rather than branching, the two are almost synonymous in distributed version control systems and synchronising between repos is simplicity itself (in Mercurial at least). If you want to get really fancy and you have developers on the move or with more than one workstation, desktop and notebook for example, then you can have another repo on a central server for that developer to sync up to from one workstation so that they can then pull that update down onto their other workstation. They can then keep code current on two machines without having half-good code in the main repos for other people to trip over. -- Yours, Kym Kovan mbcomms.net.au ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336664 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Git, CF and best practices
Hello all, I just started looking a git to use for source control for our CF projects. I wanted to ask those who are using it a few questions. First a few facts: Our servers are running Linux (dev, staging, production) but we are writing our code on Windows boxes. We are using CF builder and I have the git plugin installed. I wanted to ask about setting up the git repository on the server to be in our web server directory? For example: the web directory is http://www.thissite.com and the local directory is : /var/www/html/projectname Would it be best to put the repo there in the project directory and create two branches for the two developers and merge them when we want to release the code? I would also like to ask, if anyone has any good suggestions on a tool or tools to push a specific version of the code to the server(s). From what I can see I would do an export then manually unarchive the files to the proper directory Thanks in advance. Mallory ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336657 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Git, CF and best practices
I'm not a git user myself, but here is a recent blog article I remember seeing: http://www.bytestopshere.com/post.cfm/git-is-scary-but-it-doesn-t-need-to-be -Matt On Mon, Aug 30, 2010 at 9:16 PM, Mallory Woods mallory.wo...@gmail.com wrote: Hello all, I just started looking a git to use for source control for our CF projects. I wanted to ask those who are using it a few questions. First a few facts: Our servers are running Linux (dev, staging, production) but we are writing our code on Windows boxes. We are using CF builder and I have the git plugin installed. I wanted to ask about setting up the git repository on the server to be in our web server directory? For example: the web directory is http://www.thissite.com and the local directory is : /var/www/html/projectname Would it be best to put the repo there in the project directory and create two branches for the two developers and merge them when we want to release the code? I would also like to ask, if anyone has any good suggestions on a tool or tools to push a specific version of the code to the server(s). From what I can see I would do an export then manually unarchive the files to the proper directory Thanks in advance. Mallory ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336658 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Git, CF and best practices
You may find this presentation may help. http://experts.na3.acrobat.com/p65645730/?launcher=falsefcsContent=truepbMode=normal Also Mike Henke (http://www.henke.ws/) blogs about using .git with CF on a regular basis. hth, larry Hello all, I just started looking a git to use for source control for our CF projects. I wanted to ask those who are using it a few questions. First a few facts: Our servers are running Linux (dev, staging, production) but we are writing our code on Windows boxes. We are using CF builder and I have the git plugin installed. I wanted to ask about setting up the git repository on the server to be in our web server directory? For example: the web directory is http://www.thissite.com and the local directory is : /var/www/html/projectname Would it be best to put the repo there in the project directory and create two branches for the two developers and merge them when we want to release the code? I would also like to ask, if anyone has any good suggestions on a tool or tools to push a specific version of the code to the server(s). From what I can see I would do an export then manually unarchive the files to the proper directory Thanks in advance. Mallory ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336659 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Git, CF and best practices
On 31/08/2010 11:16, Mallory Woods wrote: I just started looking a git to use for source control for our CF projects. I wanted to ask those who are using it a few questions. git is a distributed version control system so having a central repository is fine for later, completed versions but it might be worth considering having a local repo for each developer so that they can save and version control internally and then when they are happy with their current work snippet push that back to a common/shared repo. That way you get some independence otherwise you are not doing much more than what svn does. Also you might consider looking at mercurial rather than git as it has a better fit with Windows machines. For example here we use Mercurial and every developer has a local set of repos on their workstation which they work with and when they have finished code synchronise from that back to a central repo where they can share their work with others. We actually have several central repos for test/stage levels of goodness of code rather than branching, the two are almost synonymous in distributed version control systems and synchronising between repos is simplicity itself (in Mercurial at least). If you want to get really fancy and you have developers on the move or with more than one workstation, desktop and notebook for example, then you can have another repo on a central server for that developer to sync up to from one workstation so that they can then pull that update down onto their other workstation. They can then keep code current on two machines without having half-good code in the main repos for other people to trip over. -- Yours, Kym Kovan mbcomms.net.au ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336660 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
IIS ColdFusion Developer, best practices for setting up multiple sites
I'd like to set up my development environment to match what I've got on the server, namely multiple sites under IIS with each site acting as root. Can anyone offer any tips and what they do that works well? Is there an issue or special consideration with ColdFusion Developer edition in setting up multiple sites under IIS? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329496 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
ColdFusion is not going to be your problem, IIS is. If you're talking about setting this up on a desktop OS, then IIS isn't going to let you do it. I know in XP (and pretty sure about Vista), IIS can only have 1 website. You can only have multiple sites in IIS on a server OS. There are hacks and specialty software you can use to get around this, but natively IIS isn't going to let you do it. Thanks, Eric Cobb http://www.cfgears.com Jeff F wrote: I'd like to set up my development environment to match what I've got on the server, namely multiple sites under IIS with each site acting as root. Can anyone offer any tips and what they do that works well? Is there an issue or special consideration with ColdFusion Developer edition in setting up multiple sites under IIS? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329498 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
Indeed, if you're dev environment is not a server, and you're working on a desktop/laptop look at this for creating multiple sites in IIS: http://www.gafvert.info/iis/article/multiple_websites_xp.htm Then, create a seperate domain for each site in your hosts file, resolving it to 127.0.0.1 i.e. 127.0.0.1 localhost.mysite1 127.0.0.1 localhost.mysite2 ... I don't recall exactly where the hosts file sits on windows, system32 somewhere I think... Create each site in IIS with the corresponding host header (localhost.mysite1, etc) and you are good to go with multiple sites with local, root domains. HTH Dominic 2010/1/8 Eric Cobb cft...@ecartech.com ColdFusion is not going to be your problem, IIS is. If you're talking about setting this up on a desktop OS, then IIS isn't going to let you do it. I know in XP (and pretty sure about Vista), IIS can only have 1 website. You can only have multiple sites in IIS on a server OS. There are hacks and specialty software you can use to get around this, but natively IIS isn't going to let you do it. Thanks, Eric Cobb http://www.cfgears.com Jeff F wrote: I'd like to set up my development environment to match what I've got on the server, namely multiple sites under IIS with each site acting as root. Can anyone offer any tips and what they do that works well? Is there an issue or special consideration with ColdFusion Developer edition in setting up multiple sites under IIS? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329499 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
ColdFusion is not going to be your problem, IIS is. If you're talking about setting this up on a desktop OS, then IIS isn't going to let you do it. I know in XP (and pretty sure about Vista), IIS can only have 1 website. You can only have multiple sites in IIS on a server OS. This is not true in Vista or Windows 7, in any version available in the US. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsi ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329501 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
IIS7 on Vista and Windows 7 allow multiple sites. Greg On Fri, Jan 8, 2010 at 8:55 AM, Eric Cobb cft...@ecartech.com wrote: ColdFusion is not going to be your problem, IIS is. If you're talking about setting this up on a desktop OS, then IIS isn't going to let you do it. I know in XP (and pretty sure about Vista), IIS can only have 1 website. You can only have multiple sites in IIS on a server OS. There are hacks and specialty software you can use to get around this, but natively IIS isn't going to let you do it. Thanks, Eric Cobb http://www.cfgears.com Jeff F wrote: I'd like to set up my development environment to match what I've got on the server, namely multiple sites under IIS with each site acting as root. Can anyone offer any tips and what they do that works well? Is there an issue or special consideration with ColdFusion Developer edition in setting up multiple sites under IIS? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329502 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
Sweet! I wasn't sure about 7 (haven't used it yet), but I didn't realize that about Vista. I've never had a need to check. That's good to know. Thanks, Eric Cobb http://www.cfgears.com Dave Watts wrote: ColdFusion is not going to be your problem, IIS is. If you're talking about setting this up on a desktop OS, then IIS isn't going to let you do it. I know in XP (and pretty sure about Vista), IIS can only have 1 website. You can only have multiple sites in IIS on a server OS. This is not true in Vista or Windows 7, in any version available in the US. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsi ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329506 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
Someone mentioned the 'hosts' file, too, which can be useful for spoofing URLs in development. c:\windows\system32\drivers\etc\hosts ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329507 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
IIS7 on Vista and Windows 7 allow multiple sites. Through host headers? Won't this be an issue with ColdFusion Dev edition? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329508 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
IIS7 on Vista and Windows 7 allow multiple sites. Through host headers? Won't this be an issue with ColdFusion Dev edition? No. It's working just fine for me, right this minute. The developer edition just limits incoming connections to a handful of IP addresses. No edition limits how many virtual web servers you hook it up to. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329509 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
Someone mentioned the 'hosts' file, too, which can be useful for spoofing URLs in development. c:\windows\system32\drivers\etc\hosts I'm on Windows 7 with IIS7 and I just tried this. I created a new site in IIS with a host name of www.beta.test.com I then added the new site in the hosts file as 127.0.0.1 www.beta.solo.com When I browse to www.beta.solo.com I get server 500 error of the IsapiModule. If I remember, this is a ColdFusion issue correct? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329510 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: IIS ColdFusion Developer, best practices for setting up multiple sites
I believe that you also have to add www.beta.solo.com to IIS. If the site is using host headers (exclusively) and gets one that isn't defined then it throws an error. Steve -Original Message- From: Jeff F [mailto:cftalk_l...@fongemie.com] Sent: Friday, January 08, 2010 10:22 AM To: cf-talk Subject: Re: IIS ColdFusion Developer, best practices for setting up multiple sites Someone mentioned the 'hosts' file, too, which can be useful for spoofing URLs in development. c:\windows\system32\drivers\etc\hosts I'm on Windows 7 with IIS7 and I just tried this. I created a new site in IIS with a host name of www.beta.test.com I then added the new site in the hosts file as 127.0.0.1 www.beta.solo.com When I browse to www.beta.solo.com I get server 500 error of the IsapiModule. If I remember, this is a ColdFusion issue correct? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329511 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
Use iis_multilex addon for IIS. It works fine on WinXP. --- Sergey Croitor On Fri, Jan 8, 2010 at 3:04 PM, Jeff F cftalk_l...@fongemie.com wrote: I'd like to set up my development environment to match what I've got on the server, namely multiple sites under IIS with each site acting as root. Can anyone offer any tips and what they do that works well? Is there an issue or special consideration with ColdFusion Developer edition in setting up multiple sites under IIS? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329512 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
iis_multiplex is a correct name. I've typed it wrong in previous email. On Fri, Jan 8, 2010 at 3:04 PM, Jeff F cftalk_l...@fongemie.com wrote: I'd like to set up my development environment to match what I've got on the server, namely multiple sites under IIS with each site acting as root. Can anyone offer any tips and what they do that works well? Is there an issue or special consideration with ColdFusion Developer edition in setting up multiple sites under IIS? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329513 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
I believe that you also have to add www.beta.solo.com to IIS. If the site is using host headers (exclusively) and gets one that isn't defined then it throws an error. Steve My typing mistake. I did add www.beta.solo.com to IIS, not www.beta.test.com as I wrote earlier. That part is straight forward:http://technet.microsoft.com/en-us/library/cc753195%28WS.10%29.aspx Even if the site is defined in IIS and the Hosts file, how does CF know this is a new site, and not just a dir on the default website? multiple sites Someone mentioned the 'hosts' file, too, which can be useful for spoofing URLs in development. c:\windows\system32\drivers\etc\hosts I'm on Windows 7 with IIS7 and I just tried this. I created a new site in IIS with a host name of www.beta.test.com I then added the new site in the hosts file as 127.0.0.1 www.beta.solo.com When I browse to www.beta.solo.com I get server 500 error of the IsapiModule. If I remember, this is a ColdFusion issue correct? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329514 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
I'm on Windows 7 with IIS7 and I just tried this. I created a new site in IIS with a host name of www.beta.test.com I then added the new site in the hosts file as 127.0.0.1 www.beta.solo.com When I browse to www.beta.solo.com I get server 500 error of the IsapiModule. If I remember, this is a ColdFusion issue correct? Did you map CF to all IIS virtual servers using wsconfig? If not, did you map CF to this virtual server? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329515 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
My typing mistake. I did add www.beta.solo.com to IIS, not www.beta.test.com as I wrote earlier. That part is straight forward:http://technet.microsoft.com/en-us/library/cc753195%28WS.10%29.aspx With IIS 7, you'll have to enable IIS 6 compatibility, too. Google IIS 7 coldfusion for more complete instructions. Even if the site is defined in IIS and the Hosts file, how does CF know this is a new site, and not just a dir on the default website? CF doesn't really need to know anything, It just needs to be mapped to whatever virtual servers you want it to work with, using wsconfig. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329516 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
Did you map CF to all IIS virtual servers using wsconfig? If not, did you map CF to this virtual server? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ I just did, I think and still no luck. Using the Webserver Configuration tool, I add www.beta.solo.com in the field JRun Host, under IIS website I left it as All and checked the Configure web server for Coldfusion 8 Applications. I restarted Coldfusion and I get the same error. That error does look familiar, as I've seen when CF is not configured correctly. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329518 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
Using the Webserver Configuration tool, I add www.beta.solo.com in the field JRun Host, under IIS website I left it as All and checked the Configure web server for Coldfusion 8 Applications. I restarted Coldfusion and I get the same error. That error does look familiar, as I've seen when CF is not configured correctly. No, you don't have to change the JRun host, leave it at localhost. I suspect you haven't enabled IIS 6 compatibility, as described in a previous response. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329520 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: IIS ColdFusion Developer, best practices for setting up multiple sites
FWIW- I would use IIS over Apache any day, but I use Apache web server on my home XP dev machine for two reasons: 1) It supported as many sites as I wanted 2) It was free. I just try and not think about the pain in the butt that it is to configure. :) ~Brad Original Message Subject: Re: IIS ColdFusion Developer, best practices for setting up multiple sites From: Dave Watts dwa...@figleaf.com Date: Fri, January 08, 2010 10:31 am To: cf-talk cf-talk@houseoffusion.com ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329523 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: IIS ColdFusion Developer, best practices for setting up multiple sites
That is an XP only issue. IIS in Vista allows multiple sites. There was an interview with the guy that was in charge of IIS development that said they learned their lesson from crippling IIS in XP and wouldn't do it again (apparently there was a lot of backlash from developers on this one) Eric -Original Message- From: Eric Cobb [mailto:cft...@ecartech.com] Sent: Friday, January 08, 2010 7:55 AM To: cf-talk Subject: Re: IIS ColdFusion Developer, best practices for setting up multiple sites ColdFusion is not going to be your problem, IIS is. If you're talking about setting this up on a desktop OS, then IIS isn't going to let you do it. I know in XP (and pretty sure about Vista), IIS can only have 1 website. You can only have multiple sites in IIS on a server OS. There are hacks and specialty software you can use to get around this, but natively IIS isn't going to let you do it. Thanks, Eric Cobb http://www.cfgears.com Jeff F wrote: I'd like to set up my development environment to match what I've got on the server, namely multiple sites under IIS with each site acting as root. Can anyone offer any tips and what they do that works well? Is there an issue or special consideration with ColdFusion Developer edition in setting up multiple sites under IIS? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329524 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: IIS ColdFusion Developer, best practices for setting up multiple sites
/windows/system32/drivers/etc/ Eric -Original Message- From: Dominic Watson [mailto:watson.domi...@googlemail.com] Sent: Friday, January 08, 2010 8:26 AM To: cf-talk Subject: Re: IIS ColdFusion Developer, best practices for setting up multiple sites Indeed, if you're dev environment is not a server, and you're working on a desktop/laptop look at this for creating multiple sites in IIS: http://www.gafvert.info/iis/article/multiple_websites_xp.htm Then, create a seperate domain for each site in your hosts file, resolving it to 127.0.0.1 i.e. 127.0.0.1 localhost.mysite1 127.0.0.1 localhost.mysite2 ... I don't recall exactly where the hosts file sits on windows, system32 somewhere I think... Create each site in IIS with the corresponding host header (localhost.mysite1, etc) and you are good to go with multiple sites with local, root domains. HTH Dominic 2010/1/8 Eric Cobb cft...@ecartech.com ColdFusion is not going to be your problem, IIS is. If you're talking about setting this up on a desktop OS, then IIS isn't going to let you do it. I know in XP (and pretty sure about Vista), IIS can only have 1 website. You can only have multiple sites in IIS on a server OS. There are hacks and specialty software you can use to get around this, but natively IIS isn't going to let you do it. Thanks, Eric Cobb http://www.cfgears.com Jeff F wrote: I'd like to set up my development environment to match what I've got on the server, namely multiple sites under IIS with each site acting as root. Can anyone offer any tips and what they do that works well? Is there an issue or special consideration with ColdFusion Developer edition in setting up multiple sites under IIS? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329525 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: IIS ColdFusion Developer, best practices for setting up multiple sites
Nope...the limitation on the dev editions is the number of unique IP's accessing it, not host headers or domains. Eric -Original Message- From: Jeff F [mailto:cftalk_l...@fongemie.com] Sent: Friday, January 08, 2010 9:06 AM To: cf-talk Subject: Re: IIS ColdFusion Developer, best practices for setting up multiple sites IIS7 on Vista and Windows 7 allow multiple sites. Through host headers? Won't this be an issue with ColdFusion Dev edition? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329526 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: IIS ColdFusion Developer, best practices for setting up multiple sites
CF doesn't care...IIS directs it to the proper directory so you are accessing the correct files...CF is just running on your machine as a translator of the CF code that is executed in those files. Where those files reside is irrelevant to CF. Eric -Original Message- From: Jeff F [mailto:cftalk_l...@fongemie.com] Sent: Friday, January 08, 2010 9:42 AM To: cf-talk Subject: Re: IIS ColdFusion Developer, best practices for setting up multiple sites I believe that you also have to add www.beta.solo.com to IIS. If the site is using host headers (exclusively) and gets one that isn't defined then it throws an error. Steve My typing mistake. I did add www.beta.solo.com to IIS, not www.beta.test.com as I wrote earlier. That part is straight forward:http://technet.microsoft.com/en-us/library/cc753195%28WS.10%29.aspx Even if the site is defined in IIS and the Hosts file, how does CF know this is a new site, and not just a dir on the default website? multiple sites Someone mentioned the 'hosts' file, too, which can be useful for spoofing URLs in development. c:\windows\system32\drivers\etc\hosts I'm on Windows 7 with IIS7 and I just tried this. I created a new site in IIS with a host name of www.beta.test.com I then added the new site in the hosts file as 127.0.0.1 www.beta.solo.com When I browse to www.beta.solo.com I get server 500 error of the IsapiModule. If I remember, this is a ColdFusion issue correct? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329527 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
Just a follow up. I got it working using everything as I listed above, but when I was using the web server configuration tool it wasn't working. Dave was correct, I needed to go into the Application pool settings in IIS and Enable 32-bit applications as the default setting. I reran the Web Config everything is good. This is neat. Should really help with keeping paths consistent. I appreciate the help! -Jeff ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329529 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: IIS ColdFusion Developer, best practices for setting up multiple sites
I got it working using everything as I listed above, but when I was using the web server configuration tool it wasn't working. Dave was correct, I needed to go into the Application pool settings in IIS and Enable 32-bit applications as the default setting. I reran the Web Config everything is good. This is neat. Should really help with keeping paths consistent. If you're using a 64-bit OS, you can use the 64-bit version of CF, you know. Then you wouldn't have to set the application pool to 32-bit. Not that it makes all that much difference in development. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329530 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: IIS ColdFusion Developer, best practices for setting up multiple sites
There are hacks and specialty software you can use to get around this, but natively IIS isn't going to let you do it. That is not the case with Windows 7 Pro and IIS 7.5 (I do not know about previous versions). With IIS 7.5 running on Windows 7 Pro here on my laptop I have a number of sites configured in IIS without any trouble at all. -Justin ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329531 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
(ot) mySQL best practices
hi guys, found this article really helpful... http://net.tutsplus.com/tutorials/other/top-20-mysql-best-practices/ thought i should share! mike ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:328702 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOA Coldfusion best practices
That was actually pretty funny, but yes I have done searches on the subject and come back a lot of info. I guess I was hoping to find out which approach people leaned towards and it there were any pitfalls people have run into. Tim I hate to do this, but, did you try http://tinyurl.com/nx44fe ? nathan strutz [Blog and Family @ http://www.dopefly.com/] [AZCFUG Manager @ http://www.azcfug.org/] [Twitter @nathanstrutz] Are there any good sites or presentations that people can recommend for best practices when implementing a SOA architecture using ColdFusion? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323283 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOA Coldfusion best practices
That was actually pretty funny, but yes I have done searches on the subject and come back a lot of info. I guess I was hoping to find out which approach people leaned towards and it there were any pitfalls people have run into. Tim I hate to do this, but, did you try http://tinyurl.com/nx44fe ? nathan strutz [Blog and Family @ http://www.dopefly.com/] [AZCFUG Manager @ http://www.azcfug.org/] [Twitter @nathanstrutz] Are there any good sites or presentations that people can recommend for best practices when implementing a SOA architecture using ColdFusion? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323284 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOA Coldfusion best practices
Who are you kidding, you loved doing that. Like and Rodgers and Hammerstein put it These are a few of my favorite things For what it is worth. There is also a segment on the lynda.comColdfusion 8 beyond the basics video tutes that deals with packaging data for web services such that it is cross platform. Basically a how-to for creating and consuming web services using arrays of structures, which is a really handy way package cfquery record sets. G! On Mon, Jun 8, 2009 at 6:27 PM, David McGuigan davidmcgui...@gmail.comwrote: Who are you kidding, you loved doing that. On Mon, Jun 8, 2009 at 4:14 PM, Nathan Strutz str...@gmail.com wrote: I hate to do this, but, did you try http://tinyurl.com/nx44fe ? -- Gerald Guido http://www.myinternetisbroken.com http://www.cfsimple.org/ To invent, you need a good imagination and a pile of junk. -- Thomas A. Edison ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323285 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SOA Coldfusion best practices
In all reality, the best thing I've seen on the subject is Sean Corfield's PDF preso - the first result in that google search. As far as getting into it and engaging in discussions and asking am I doing this right? type questions, you can ask here, but the ColdSpring mailing list is probably a better resource for that (http://coldspringframework.org). nathan strutz [Blog and Family @ http://www.dopefly.com/] [AZCFUG Manager @ http://www.azcfug.org/] [Twitter @nathanstrutz] On Tue, Jun 9, 2009 at 9:55 AM, Tim Oommen toom...@duoconsulting.comwrote: That was actually pretty funny, but yes I have done searches on the subject and come back a lot of info. I guess I was hoping to find out which approach people leaned towards and it there were any pitfalls people have run into. Tim I hate to do this, but, did you try http://tinyurl.com/nx44fe ? nathan strutz [Blog and Family @ http://www.dopefly.com/] [AZCFUG Manager @ http://www.azcfug.org/] [Twitter @nathanstrutz] Are there any good sites or presentations that people can recommend for best practices when implementing a SOA architecture using ColdFusion? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323286 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOA Coldfusion best practices
I'd suggest the CFCDev Google groups mailing list as well. It is kind of a higher-level best practices in Object Oriented development list. On Tue, Jun 9, 2009 at 11:16 AM, Nathan Strutzstr...@gmail.com wrote: In all reality, the best thing I've seen on the subject is Sean Corfield's PDF preso - the first result in that google search. As far as getting into it and engaging in discussions and asking am I doing this right? type questions, you can ask here, but the ColdSpring mailing list is probably a better resource for that (http://coldspringframework.org). nathan strutz [Blog and Family @ http://www.dopefly.com/] [AZCFUG Manager @ http://www.azcfug.org/] [Twitter @nathanstrutz] On Tue, Jun 9, 2009 at 9:55 AM, Tim Oommen toom...@duoconsulting.comwrote: That was actually pretty funny, but yes I have done searches on the subject and come back a lot of info. I guess I was hoping to find out which approach people leaned towards and it there were any pitfalls people have run into. Tim I hate to do this, but, did you try http://tinyurl.com/nx44fe ? nathan strutz [Blog and Family @ http://www.dopefly.com/] [AZCFUG Manager @ http://www.azcfug.org/] [Twitter @nathanstrutz] Are there any good sites or presentations that people can recommend for best practices when implementing a SOA architecture using ColdFusion? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323288 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
SOA Coldfusion best practices
Are there any good sites or presentations that people can recommend for best practices when implementing a SOA architecture using ColdFusion? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323247 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOA Coldfusion best practices
I hate to do this, but, did you try http://tinyurl.com/nx44fe ? nathan strutz [Blog and Family @ http://www.dopefly.com/] [AZCFUG Manager @ http://www.azcfug.org/] [Twitter @nathanstrutz] On Mon, Jun 8, 2009 at 2:49 PM, Tim Oommen toom...@playboy.com wrote: Are there any good sites or presentations that people can recommend for best practices when implementing a SOA architecture using ColdFusion? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323249 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SOA Coldfusion best practices
Who are you kidding, you loved doing that. On Mon, Jun 8, 2009 at 4:14 PM, Nathan Strutz str...@gmail.com wrote: I hate to do this, but, did you try http://tinyurl.com/nx44fe ? nathan strutz [Blog and Family @ http://www.dopefly.com/] [AZCFUG Manager @ http://www.azcfug.org/] [Twitter @nathanstrutz] On Mon, Jun 8, 2009 at 2:49 PM, Tim Oommen toom...@playboy.com wrote: Are there any good sites or presentations that people can recommend for best practices when implementing a SOA architecture using ColdFusion? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323251 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SOA Coldfusion best practices
ha ha -- Ryan LeTulle On Mon, Jun 8, 2009 at 5:27 PM, David McGuigan davidmcgui...@gmail.comwrote: Who are you kidding, you loved doing that. On Mon, Jun 8, 2009 at 4:14 PM, Nathan Strutz str...@gmail.com wrote: I hate to do this, but, did you try http://tinyurl.com/nx44fe ? nathan strutz [Blog and Family @ http://www.dopefly.com/] [AZCFUG Manager @ http://www.azcfug.org/] [Twitter @nathanstrutz] On Mon, Jun 8, 2009 at 2:49 PM, Tim Oommen toom...@playboy.com wrote: Are there any good sites or presentations that people can recommend for best practices when implementing a SOA architecture using ColdFusion? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323252 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: SOA Coldfusion best practices
Geez Nate, Someone is sassy today... Rough weekend? =] -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323253 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SOA Coldfusion best practices
Well, my weekend was no surprise trip to Magic Mountain or anything ;o) I attribute all sass to lack of caffeine, but I think we all know the real reason is that working for the man has made me a cranky person. nathan strutz [Blog and Family @ http://www.dopefly.com/] [AZCFUG Manager @ http://www.azcfug.org/] [Twitter @nathanstrutz] On Mon, Jun 8, 2009 at 3:36 PM, Alan Rother alan.rot...@gmail.com wrote: Geez Nate, Someone is sassy today... Rough weekend? =] -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323257 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
CFPOP Checker/Uploader best practices
I'm building an app that uses CFPOP to check an email box and puts whatever attachments are in the email onto a server and then emails back the sender the URL (and a TinyURL of the file as well). I've added security - there are only a few email addresses that it will grab attachments for - otherwise it just deletes the mail. I realize there are better ways to go about getting files to a server but my users are novices and I think it's worth a try. I've got it working with a Gmail account and my initial tests have gone well. The server that would be performing this does not have a significant load, and only a handful of users would be emailing files (mostly 1-3mb jpegs, 2mg or so PDFs) but still I am concerned about how it might affect the performance of the box. It is on a Windows 2000 server w/ CF 6.1 so CFThread is not an option. If it's chugging away grabbing mail attachments off the Gmail account - are other requests to the box slowed to a crawl? I'm also debating how often the page with the CFPop should be called from the Scheduler - maybe 2 or 3 minutes apart? It's a fine line between giving the user the info within a reasonable time period versus taxing the server too much because it's constantly checking email. I would definitely have it stop once office hours were over. If anyone has experience with this sort of thing I've love to hear of suggestions, solutions, pitfalls, etc. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322989 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Store / Cart technical best practices and resources
Hey folks, We are planning some enhancements on a cart / ecommerce system for a store and other online purchases. I think we have a pretty good idea of the direction to go in, but I think it would be a good idea to review any other technical best practices for building cart or store systems. Are there any resources (blog posts, etc.) that you would recommend in this regard? I know that's a broad request - I'm thinking of db design or coding practices. Thanks, Nick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322246 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Store / Cart technical best practices and resources
Check out http://www.coldfusionbloggers.org (search for shopping cart) Other (potentially useful) stuff: http://articles.techrepublic.com.com/5100-10878_11-1058748.html http://www.cartweaver.com http://www.cfshopkart.com http://www.cf-ezcart.com http://www.cfwebstore.com http://www.quilldesign.com http://www.amplecom.com On Wed, May 6, 2009 at 2:34 PM, Nick Gleason n.glea...@citysoft.com wrote: Hey folks, We are planning some enhancements on a cart / ecommerce system for a store and other online purchases. I think we have a pretty good idea of the direction to go in, but I think it would be a good idea to review any other technical best practices for building cart or store systems. Are there any resources (blog posts, etc.) that you would recommend in this regard? I know that's a broad request - I'm thinking of db design or coding practices. Thanks, Nick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322248 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CF and web services best practices
I'm interested in more advanced WS features support in CF like all the standards (WS-Security, WS-Transaction, and other WS-*). To the best of my knowledge, CF doesn't support these features directly, although the underlying web services engine used by CF, Apache Axis, does. The security aspects are also of special interest (including the encryption and digital certificates) This is all handled at the HTTP layer. If you invoke a service that uses SSL/TLS and requires client certificates, you have to install the client certificate in the Java keystore. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:316326 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
CF and web services best practices
I need to gather information about CF and web services. Could anybody point me to some resources about best practices when implementing web services in CF? Any lessons learned, gotchas from your own experience are even better. I know already a bit about the complex data types and their problems in SOAP/ WSDL. I'm also aware about the proscons of handcoding XML/SOAP and pushing it through CFHTTP vs using the CFinvoke and the built-in Apache Axis engine. Any extra info on these issues would be very useful too. I'm interested in more advanced WS features support in CF like all the standards (WS-Security, WS-Transaction, and other WS-*). The security aspects are also of special interest (including the encryption and digital certificates) Thanks, Michal ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:316313 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4