1. You'd use "HtmlEditFormat" on any page that displayed the feedback. So on the public page if you show it back to the user and on the admin page. Generally, anywhere you're using #feedback# you'd want to do #htmlEditFormat(feedback)#
2. Yes, if you have a public form that is a simple text box then that is very much likely the way they're doing it. They're simply submitting the javascript code directly along with with the fake feedback. It's up to you to sanitize input data. At a minimum, you'd be looking to remove any javascript from the input as that's what's being exploited here. - Gabriel On Mon, Mar 22, 2010 at 8:24 AM, Anthony Doherty <[email protected]> wrote: > > How can I check use this function 'HtmlEditFormat' on my FEEDBACK field? > > Also before I removed the code there was some javascript being stored in the > FEEDBACK field as well. > > I dont think they are entering the HACK from the administration section but > could this type of HACK be made from a contact form - The contact form just > asks for a NAME, EMAIL & COMMENTS field - and the COMMENTS section is just a > simple text box. > > Thanks > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331938 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
