A very quick summary... Use cfqueryparam tags to insert user-provided data into the database.
Use the appropriate function (HtmlEditFormat, XmlFormat, UrlEncodedFormat, JsStringFormat) to output user-provided data. These will (should) deal with escaping all reserved characters. If in doubt, use security scanning software to run some thorough tests against your site and verify it is ok before you put it Live. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:327309 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
