Just spotted this thread. Surely, unless the scenario referred to by Ray is encountered you should simply HTMLEditFormat() any user submitted output in order to escape any special characters.
> -----Original Message----- > From: Raymond Camden [mailto:[EMAIL PROTECTED]] > Sent: 19 December 2001 15:44 > To: CF-Talk > Subject: RE: Forms and CF Code > > > Why would anyone need to clean cfcode? Unless you save user input to a > file and cfinclude it, it will not get executed. > > FYI, to clean HTML and stuff, look for StripHTML on cflib.org. > > ===========================================================> ======== > Raymond Camden, Principal Spectra Compliance Engineer for Macromedia > > Email : [EMAIL PROTECTED] > Yahoo IM : morpheus > > "My ally is the Force, and a powerful ally it is." - Yoda > > > -----Original Message----- > > From: Jennifer Larkin [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, December 18, 2001 7:14 PM > > To: CF-Talk > > Subject: RE: Forms and CF Code > > > > > > In addition to CF code, you may need to strip out other > > characters to avoid > > SQL hacks and such. If I can, I strip all < > ; # % * ' ( ) > > and , with > > REReplace or use REFind to detect the nasty ones and throw an error > > message, including sending an email message to me. < and > > > eliminate the > > functionality of <CF..>. # can be icky if it comes up in a > > bad place. ( and > > ) missing will eliminate the functionality of a CF function. > > ; can be used > > in a query to do nasty things like execute a second SQL > > command in your > > CFQuery and drop your tables. % is a sql wildcard so a user > > could get more > > returns than you want them to. , has caused me a lot of > > problems when I try > > to dump the data to a text file. * just makes me nervous. *twitch* > > > > At 04:02 PM 12/18/01 -0700, you wrote: > > >I wrote a simple routine that would loop through all the > > form elements, > > >strip out HTML, and change single quotes to chr(97). It'd > > be easy enough to > > >do something similar for cfcode - just check for the <CF or > > specific CF > > >functions. A simple search/replace, or regular expression > > can handle this. > > > > > >If you need it, I can dig out my routine, but it's simple > > enough that it can > > >be recreated from scratch in about 30 minutes. > > > > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
