Another method, which may be a bit more robust is the OWASP ESAPI's (Enterprise Security API) Encoder methods: decodeForHTML(str) or canonicalize(str): http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#decodeForHTML%28java.lang.String%29
The last two security hotfixes for CF 8 and 9 both include ESAPI in the classpath, so you can use it without adding any jars, here's some example code: http://www.petefreitag.com/item/788.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, Aug 18, 2011 at 4:16 PM, Kevin Pepperman <[email protected]>wrote: > > XMLUnFormat() from CFLIB should do the trick. > > http://www.cflib.org/index.cfm?event=page.udfbyid&udfid=800 > > > -- > /Kevin Pepperman > > "*Never memorize what you can look up in books*." > --Albert_Einstein > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:346848 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
