> I've created a web site for a customer and have come across > an interesting problem. I wondering if anyone here has > experienced something similar. The site allows my customer > to create new categories using a form submission. The new > categories are then displayed in the left frame of the site. > It didn't take long for the customer to figure out that they > could create bold category names by using some HTML in the > form field. The category list is dynamically generated from > a table using CF and the link associated with each category > is also generated on the fly. We have thousands of their > customers that access these categories with no problem. They > click on the category and it loads the appropriate template > in the right frame. Twice now we've had customers that claim > to get an error message. It seems that their browser won't > pass the URL variable with the bold tags. > > The URL looks like this: > http://www.xyz.com/GoToCategory.cfm?category=<b>Diamonds</b> > > The latest customer that cannot access the categories is > using IE 6.0 on Windows 2000.
You have several options: 1. If you're storing the categories in a database, pass the primary key instead of the above string. 2. If you want to pass the string, escape the characters with the URLEncodedFormat function: <cfoutput><a href="/GoToCategory.cfm?category=#URLEncodedFormat(Name)#">#Name#</a></cfout put> 3. Strip out any HTML entered by the user in the form fields in the first place. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
