On 8/7/07, Paul Vernon wrote: .... > I guess I should qualify that and say, use HTMLEditFormat() and > HTMLCodeFormat() on any *untrusted* user submitted content.
What's this "trust" thing of which you speak? :-) I was trying to find a catch-all for cfquery cuz I just whent thru this same deal a few months ago. Finally got all the public, most the private (as I refactor, I get it all) paramed- and in comes a bunch more. It would be bad enough it was only private facing stuff... > If you are using an admin area for your users to add content using a WYSIWYG > then the use of these techniques is out for the WYSIWYG content. However, if > you are allowing anonymous users to submit content through the front end, > HTMLEditFormat() and HTMLCodeFormat() will kill all XSS attempts dead! I aim (but have so much code to maintain- it's insane) for security, even on the inside. So this begs the question- How does one secure incoming HTML content? Guess the mainstays there, are: you don't. You use meta-markup. And a customized version of FCKEditor. Eh. What ever man builds (or woman builds), can be de-built, I reckon. And yet... with the right regular expression(s).... :-P I wonder, with this server-side JS, perhaps we could have a parser that would tell us if the content tried to "do" anything. Hmmm? Bah. I'm gonna go play with my kid. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285784 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
