Hi. I have a question about the wisdom of disabling the scriptProtect function in application.cfc.
In my application.cfc, I have set <cfset this.scriptProtect = "No"> . like this: <cfcomponent output="false"> <cfset this.scriptProtect = "No"> I did this to allow my client to paste the OBJECT tag into TinyMCE in her content management system. Previously, when she pasted: <OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.c ab" id="Player_8fb00b70-06ad-4ced-acd0-5ba940ba131c" WIDTH="500px" HEIGHT="175px"> .. etc . ..ColdFusion would replace OBJECT with InvalidTag. She needs to paste in embed codes for various Amazon widgets. I have read up on Pete Freitag's notes about the scriptProtect function. My question: is there a safer way to allow my client to paste in her Amazon widgets into TinyMCE? I prefer to not turn off scriptProtect , even if its protection is incomplete. Thank you for any advice. Eric p.s. in my edit form (which updates the data table) I have set: <!--- in user-editable form fields, set up protection against XSS ---> <cfloop collection="#FORM#" item="field"> <cfset FORM[ field ] = ReReplaceNoCase (FORM[ field ], "<script.*?>.*?</script>", "", "all")> </cfloop> I do not know if that offsets disabling the scriptProtect function. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353830 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
