Rob, The list of tags can be found in your neo-security.xml (CFInstallDirectory\lib\)
<var name="CrossSiteScriptPatterns"> <struct type="coldfusion.server.ConfigMap"> <var name="<\s*(object|embed|script|applet|meta)"> <string><InvalidTag</string> </var> </struct> </var> Pragnesh On May 6, 11:09 pm, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > Hi People, > > Just a heads up, we have a lovely new server here and while setting it > up we decided to enable the "Enable Global Script Protection" in > CFADMIN8 you can never be too careful when you work in the mean > streets of education. > > Well the teachers started to complain that they could no longer embed > youtube videos into their online units (serious this in the end of the > world!) .. We thought it may have been our implementation of fckEditor > (2.6 pretty hot) , our theory was, fckie was changing the object and > embed tag to "invalidtag" on form post which sounds like a typical > wysiwyg black magic trick. However after reading ever single line of > fckeditor's config looking for a blacklist of tags, dumping the form > scope and finding fckeditor was behaving itself, we thought we would > just try and disable the Enable Global Script Protection in cfadmin. > We restarted the server and it worked! Teachers and Students can now > embed their movies! Thank god PEACE! > > I mean i can see how it would be useful if your users are punks, but > in this web2.0 time i cant see much use for a blanket ban on all cross > site stuff, would be more useful if you could choose tags to disable. > > Just thought i would share... > > Rob. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
