Cornillon, Matthieu wrote: > > Going on my basic (and hopefully correct) > assumption that JavaScript is set up so that it cannot (a) harm the user's > machine or (b) harm the server, I am not going to worry about this, since > the worst a user will do is pass themselves a JavaScript routine that > produces an error.
Pass themselves? Don't think so. If the data were only passed to themselves what would be the point of entering it in the site at all. That data is going somewhere else as well, and therefore it is a security risk. Because somebody might have said that javascript from your website runs with the highest level of trust, after all he trusts you. But he is actually executing javascript that is not from you, but from somebody else. It is commonly referred to as "cross site scripting" (I am pretty sure that Google will return a wealth of hit's on that). > Are there any other scripting languages, though, that would be > evaluated on the server side AFTER the CFAS processes the template? No. Jochem ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
