Yeah, I misinterpreted the original email. I was under the impression that the issue was that he was using htmleditformat() to sanitize his data before inserting it into the database, then when the user tried to sign in, their password's didn't match.
I see what you're saying, good point. :) -----Original Message----- From: Gaulin, Mark [mailto:[email protected]] Sent: Friday, June 26, 2009 3:10 PM To: cf-talk Subject: RE: HTMLEditFormat() on Password Fields Paul, you are correct in what htmlEditFormat does to its input, but not in how it will be interpreted when used in a real form, like this: <cfset whoBobLikes = "Mary & kate"> <cfset sanitizeBob = htmleditFormat(whoBobLikes)> <cfoutput> <form action="dumpformvars.cfm"> <input name="x" value="#sanitizeBob#"> </form> </cfoutput> When you submit that form the value of x will be "Mary & kate", not "Mary & kate". That is what encoding is for... preserving the original value. Thanks Mark -----Original Message----- From: Paul Alkema [mailto:[email protected]] Sent: Friday, June 26, 2009 12:45 PM To: cf-talk Subject: RE: HTMLEditFormat() on Password Fields mm.. It actually does. If you go.. The variables sanitizeBob will become "Mary & Kate". Dawson, if I were you I would recommend using the htmleditformat() function either only inside edit boxes, or while you're trying to output the password onto a page. I think your issue is your using it to sanitize the data and well, your going to have issues with that. I personally am against changing a users data, I think if your going to do any sort of sanitization it should be done on the output rather than in the input. Also, just a recommendation, if you're trying to do this sanitization for XSS security purposes, I would look into enabling global script protection in the ColdFusion administrator. This will sanitize all of your form, cgi, url and cookie information so that you don't need to worry about XSS attacks. At least for the most part. -----Original Message----- From: Gaulin, Mark [mailto:[email protected]] Sent: Friday, June 26, 2009 12:37 PM To: cf-talk Subject: RE: HTMLEditFormat() on Password Fields Hi Use htmlEditFormat()... The encodings ("&" -> "&", for example) don't affect the actual value in the edit box... It only changes the HTML used to get that value into the edit box (safely). Try it for yourself to see... (and if I'm wrong, well damn, let me know and I will have just learned something). Thanks Mark -----Original Message----- From: Dawson, Michael [mailto:[email protected]] Sent: Friday, June 26, 2009 12:20 PM To: cf-talk Subject: HTMLEditFormat() on Password Fields Is it wise to use htmlEditFormat() on the value of password fields? It is allowed for a user to enter "&" as part of their password. However, if I use htmlEditFormat(form.password) as the value of a password field, it will escape it to "&". Therefore a password may end up being "Mike&Becky" rather than "Mike&Becky". As such, should you use htmlEditFormat() on username fields as well? Thanks! Michael Dawson Manager of Web Applications Office of Technology Services University of Evansville Each time you send an email message with a background pattern or loud background color, an endangered tree dies. Please help us save a tree. Just say "NO" to email backgrounds. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324004 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
