RE: form fields

Jann VanOver Mon, 13 Aug 2001 10:25:13 -0700
CF doesn't offer any automatic validation to protect HTML input, but like
Dave says, server-side tests are a MUST if you don't want to allow users'
typing to be interpreted tags.  We usually have application variables named
something like "goodlist" and "badlist" and use the listReplace() function
on ALL text that we may want to display as HTML.  If we're not doing any
other character limitation (like double-byte chars) these lists have three
items in each:
  <cfset badlist ="<,>,&">
  <cfset goodlist  ="&lt;,&gt;,&amp;">

  <cfset userInput = listReplace(userInput,badlist,goodlist)>

But these lists could be expanded to cover any characters you wanted to
protect against.

If you want client-side validation as well, you can achieve the same thing
with Javascript, but you must STILL do the server-side checking as well.  

-----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 10:04 AM
To: CF-Talk
Subject: RE: form fields


> Is there any way in CF to set the input type of a form field. 
> Basically I only want the user to be able to enter text and 
> not HTML in a form field?

The short answer is "not really". You can't do anything in CF to limit what
a user can put into a form field. You can, however, build server-side
validation tests in your action page to ensure that there's no HTML in the
field.

In addition, if you're using CF 5, you can include JavaScript-compliant
regular expression tests using CFFORM and CFINPUT tags - simply place your
regex in the VALIDATE attribute value of your CFINPUT tag. At least, I
believe this is new to CF 5. If you're using an older version, you could
write the JavaScript validation function yourself.

However, if you're using this for security against malicious users, you
can't rely on client-side tests such as JavaScript - they can be easily
avoided by someone with that intent.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: form fields

Reply via email to
