> I will do. Another quick point, anybody who has had any
> experience with
> FCKeditor and saving the entered content into a SQL server
> database, are
> there any critical things to look out for i.e. any string
> replacement that
> needs to be done in order to save the content? Ways to
> prevent malicious
> code being entered?
I'm using an XSLT transformation to strip out any references to
script,form,frame,frameset and iframe tags, as well as any attribute
beginning with "on" in an attempt to prevent XSS attacks. Although I'm
not using FCKEditor ... right now I'm using HTMlArea, although I'm
planning to move to TinyMCE. I'm not real thrilled with the API for
any of them -- although the API for HTMLArea seems better than TinyMCE
which appears to be a much better tool overall. My biggest reason for
wanting to use TinyMCE is that is looks to me cleaner / easier for the
end user.
When you validate the form on the server, make sure the posted content
is valid XML and strip content like this:
<cftry>
<cfset myxml = XMLParse(form.fielaname)>
<cfset myxml = XMLTransform(myxml,expandpath('filter.xsl'))>
<cfcatch>
... do error handling -- tell the user they need to post valid
xml
....
</cfcatch>
</cftry>
(I recommend not using expandpath, but that's asside from the point.
The path should be a local path to the file on your server and it
should point to an XSL sheet that looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
exclude-result-prefixes="tap"
xmlns:tap="http://www.fusiontap.com";
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";>
<xsl:output method="xml" indent="no" omit-xml-declaration="yes" />
<xsl:variable name="lcase" select="'abcdefghijklmnopqrstuvwxyz'" />
<xsl:variable name="ucase" select="'ABCDEFGHIJKLMNOPQRSTUVWXYZ'" />
<xsl:variable name="tags" select="',script,frame,frameset,variable,fo
rm,input,select,option,textarea,button,'" />
<xsl:template match="/xml//*[contains($tags,concat(',',translate(loca
l-name(),$ucase,$lcase),','))=false()]">
<xsl:copy>
<xsl:copy-of select="@*[
translate(normalize-space(namespace-uri(.)),$ucase,$lcase)!='http:
//www.fusiontap.com'
and
starts-with(translate(local-name(),$ucase,$lcase),'on')=false()
and
starts-with(translate(normalize-space(.),$ucase,$lcase),'javas
cript:')=false()
]" />
<xsl:apply-templates />
</xsl:copy>
</xsl:template>
<xsl:template match="//*[translate(normalize-space(namespace-uri(.)),
$ucase,$lcase)='http://www.fusiontap.com']" />
<xsl:template match="//*[contains($tags,concat(',',translate(local-na
me(),$ucase,$lcase),','))=true()]" />
</xsl:stylesheet>
If you'ure using CF 6 you will need to read the xsl file first with
cffile.
hth
s. isaac dealey 954.522.6080
new epoch : isn't it time for a change?
add features without fixtures with
the onTap open source framework
http://www.fusiontap.com
http://coldfusion.sys-con.com/author/4806Dealey.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Find out how CFTicket can increase your company's customer support
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:216426
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
