mm.. It actually does. If you go..
<cfset whoBobLikes = "Mary & kate"> <cfset sanitizeBob = htmleditFormat(whoBobLikes)> The variables sanitizeBob will become "Mary & Kate". Dawson, if I were you I would recommend using the htmleditformat() function either only inside edit boxes, or while you're trying to output the password onto a page. I think your issue is your using it to sanitize the data and well, your going to have issues with that. I personally am against changing a users data, I think if your going to do any sort of sanitization it should be done on the output rather than in the input. Also, just a recommendation, if you're trying to do this sanitization for XSS security purposes, I would look into enabling global script protection in the ColdFusion administrator. This will sanitize all of your form, cgi, url and cookie information so that you don't need to worry about XSS attacks. At least for the most part. -----Original Message----- From: Gaulin, Mark [mailto:[email protected]] Sent: Friday, June 26, 2009 12:37 PM To: cf-talk Subject: RE: HTMLEditFormat() on Password Fields Hi Use htmlEditFormat()... The encodings ("&" -> "&", for example) don't affect the actual value in the edit box... It only changes the HTML used to get that value into the edit box (safely). Try it for yourself to see... (and if I'm wrong, well damn, let me know and I will have just learned something). Thanks Mark -----Original Message----- From: Dawson, Michael [mailto:[email protected]] Sent: Friday, June 26, 2009 12:20 PM To: cf-talk Subject: HTMLEditFormat() on Password Fields Is it wise to use htmlEditFormat() on the value of password fields? It is allowed for a user to enter "&" as part of their password. However, if I use htmlEditFormat(form.password) as the value of a password field, it will escape it to "&". Therefore a password may end up being "Mike&Becky" rather than "Mike&Becky". As such, should you use htmlEditFormat() on username fields as well? Thanks! Michael Dawson Manager of Web Applications Office of Technology Services University of Evansville Each time you send an email message with a background pattern or loud background color, an endangered tree dies. Please help us save a tree. Just say "NO" to email backgrounds. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323980 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
