cfqueryparam is your friend.
On Fri, Aug 27, 2010 at 2:19 PM, <[email protected]> wrote: > > Hi there - I have it in the handle as shown below - but the javascript > still executes, > > so , if i put <script>alert...</script> in the logname field on the form - > the alert comes up and then the form processes correctly. I'm just trying > to prevent the alert or whatever js code is in there maliciously from > executing. > > > <cfif isdefined("form.logname")> > <cfquery name="getuser" datasource="#application.dsn#"> > select * from t_s1 u, t_s2 x where id = > '#htmleditformat(form.logname)#' and u.id = x.id > </cfquery> > > > ____________________________________________________________________________________________ > Cindi Gannon, Sr Programmer Analyst ? The Bank of New York Mellon > Corporation > BNY Mellon Technology Support ? General Services Support Systems > Syracuse Office: (315) 362-1196 ? FAX (315) 362-3603 > [email protected] > > > > > > > > From: > "Mark A. Kruger" <[email protected]> > To: > cf-talk <[email protected]> > Date: > 08/27/2010 02:11 PM > Subject: > RE: HTMLEditFormat and Cross Site Scripting > > > > > Cindi, > > You need to use HTMLedit format in the handler... where's the code that > takes the Post request and does something with it? > > -Mark > > > Mark A. Kruger, MCSE, CFG > (402) 408-3733 ext 105 > Skype: markakruger > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > > > -----Original Message----- > From: cindi gannon [mailto:[email protected]] > Sent: Friday, August 27, 2010 1:00 PM > To: cf-talk > Subject: HTMLEditFormat and Cross Site Scripting > > > New to the cross site scripting arena - trying to prevent users from > entering javascript into form fields and the javascript from executing. > > Pretty much anything goes in the form fields - so I am trying to add > htmleditformat to my code - but the javascript is still executing when I > > click submit. What am I doing wrong?? > > No matter what, anytime I put in some script code into the ID input box - > > the JS gets executed. > > code: > > <form action=3D"index.cfm" method=3D"POST" name=3D"myForm"> > <cfoutput> > <tr><td align=3D"right" class=3D"text9"> > Enter ID:</td><td><input type=3D"text" name=3D"logName" > value=3D"#HtmlEditFormat(VARIABLES.logName)#" size=3D"12"></td></tr> > > </cfoutput> > <tr><td align=3D"center" colspan=3D"2" > > <input type=3D"submit" name=3D"submit" id=3D"subbtn" title=3D"Submit" > > value=3D"Submit" /> > </td></tr> > > </FORM> > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336628 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
