Don, I was responding to your suggestion and I got carried away and wrote about 5 paragraphs.... So instead of cluttering up the list I put it in a blog post:
http://www.coldfusionmuse.com/index.cfm/2008/3/13/cf8.catch.22 As a practical note specifically for you, I would mention that you are free to use FCK editor without the Adobe implementation - and it is just as easy. You can download the latest and greatest from the web. There is even a custom component (and a custom tag think) you can use. You can strip it down to the bones as needed. We use it all the time for many applications on CF 6 through CF 8. Also I was interested in your off the cuff comment regarding scary script kiddie attacks (or kitties if you like). If I hear you correctly you mean that you want to make sure the editor "doesn't make it too easy" to attempt attacks. Keep in mind that there is no protection (none, zero, zilch, nada, bupkis) provided by any client side code against attack. Validating user input is always always always (did I mention always) a server side task - and therefore it has little to do with which editor you use. Client side code and validation is about convenience and the user experience - but user submitted data must be religiously vetted on the server regardless of what you are doing on the client. Of course CF provides some global server side protection for XSS but not for things like HTML or SQL injection. No client side code can protect against such attacks because, once that HTML buffer leaves your server and is sent to the browser it is out of your control. Oh! Thanks for letting me stand in for Ben. I'm also open to speaking for Ray when he's in the john - or Dave Watts when he's busy on the phone with Bill Gates (ha). Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Don L [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2008 6:48 PM To: CF-Talk Subject: Re: Help Adobe plan the future of ColdFusion (along that line) Hey Mark, I'm just tossing an idea around, absolutely no pressure on Adobe. But I do hope Adobe would come up with fix/patch for theirI FckEditor integration very quickly, my beta users like its WYSIWG feature but are getting mad with me for its slow rendering and some times it fails (cf8 standard)... some of the alternative solutions was either only able to work in a very simple environment or scary, script kittie attack... I understand this is a first-cut but Data Capture is a critical element for any business application... Hope you would agree. I don't like to bug Ben all the time... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:301150 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
