I've played around with this a little and have found that it doesn't seem to
pose a security risk.
When the data is submitted to the database to be inserted, it is interpreted
as a string, and is not interpreted by CFserver as anything special, thus no
CFML can be executed. Likewise, when it is called from the database to be
displayed, it is read as a string. The HTML tags are interpreted because
the _browser_ interprets the HTML, but not the CFML tags because it needs to
go through the server to be interpreted. Thus, when it comes across the
CFML, the browser thinks they're HTML tags and just leaves them be as
unrecognizable tags. The string is never sent to the server in a format
that would allow it to be interpreted. In fact, in my efforts to run a
query or display user data or anything else, it just displayed the text
within the tags (i.e., <cfoutput>#myCompanySecret# </cfoutput> would just
show up as #myCompanySecret#), and jumped over the CFML tags as
unrecognizable.
At any rate, these are my findings. Anyone find anything different? I'd be
very interested to know if anyone's found holes.
Robyn
-----Original Message-----
From: Jay Sudowski - Handy Networks LLC [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 09, 2000 1:54 PM
To: [EMAIL PROTECTED]
Subject: Re: CFML be gone!
Todd,
Nice question - I'm interested in a tag / functions / pain-in-the-but-
work-around that would remove just the CFML tags. Previous to your post, I
failed to realize that if I allow people to submit HTML tags along with
their text, they could also submit CFML tags, creating a major security
hazard. :-(
Any ideas, great and wonderful CF gurus?
- Jay
----- Original Message -----
From: "Todd Ashworth" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 09, 2000 10:07 AM
Subject: CFML be gone!
> I have some forms where people can dump text into a dtabase that is then
> displayed on another page. I do wish to allow HTML to be submitted, for
> formatting if they desire, but I DO NOT want them to be able to submit
CFML,
> since I have CFFILE and CFDIRECTORY enabled .. and so-on.
>
> I have found several tags that remove HTML or HTML and CFML .. Is there a
> tag that only removes CFML?
>
> Would there be any reason not to allow them to submit HTML as well? If
so,
> is there a way to limit the HTML to only the basic formatting tags (font,
p,
> br, etc.)?
>
> .Todd
>
>
> --------------------------------------------------------------------------
----
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
>
----------------------------------------------------------------------------
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
