Ok thanks for explaining the reason why darren, i see how things could go pear shaped.
The reality is all i want to do is to convert app vars into their values, and other email addresses embedded in the content. Ive got a UDF thats rewriting the email addresses so spammers cant collect them. And thats it... Nothing too fancy.. The content editor will only be able to edit text in wysiwyg editor. If they need anything more functional done or inserted then i will be the one to rework the content. Am i approaching this the wrong way ? Jason "TRACEY, Darren" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > I'll second Sean's "don't do that!", and I'll come in with a reason why. > > Because this is for a CMS, you will (I assume) have end users putting > content in and specifying hashed values that you want to evaluate. > Firstly, keep in mind that you'll have to do something to handle it if the > user puts in something invalid (eg undefined, but plenty of other > possibilities too). > The big concern I have is that you are opening up yourself to malicious code > injecting. > How will you stop users putting great strings of nasty CF code in that > either attack the system or reveal things about the system that aid in > attacking the system? > > Having said that, if I've made a wrong assumption about this and this > warning does not apply to your particular situation or there's any other > reason why this risk will not apply to your system, please reply with a > short post saying so. Long explanations are not necessary. I will accept > your (or anyone else's) reply and will not be replying to it. If I feel some > overwhelming need to reply, I'll probably even do it off list. ;-) > > Regards > > Darren Tracey > Systems Analyst > Web Applications > p: + 61 7 3232 4091 (x64091) > f: + 61 7 3232 4022 > e: [EMAIL PROTECTED] > > l: Lvl 9, 388 Queen St Brisbane QLD 4000 > > > > > > -----Original Message----- > > From: Sean Corfield [SMTP:[EMAIL PROTECTED] > > Sent: Thursday, 1 July 2004 16:12 > > To: CFAussie Mailing List > > Subject: [cfaussie] Re: Parsing DB content containing CF Vars > > > > On Thu, 1 Jul 2004 15:30:30 +1000, Jason Bayly <[EMAIL PROTECTED]> > > wrote: > > > Working on a basic custom CMS system for a client and was wondering if > > > anyone has a bright idea on how to convert any cfvars in the content to > > > their values. > > > > My first reaction is "don't do that!" but somehow folks never accept that > > :) > > > > My second reaction is use regex to process the string from the DB. > > Search for patterns like this: > > > > #([^#]*)# > > > > and then for each match, replace it with evaluate(x) where x is the > > matched pattern. > > > > --- > > You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > > To unsubscribe send a blank email to > > [EMAIL PROTECTED] > > Aussie Macromedia Developers: http://lists.daemon.com.au/ > > > -------------------------------------------------------------------------- --------- > This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one of its related entities ("Suncorp"). > > Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 1800 689 762 or at suncorp.com.au. > > The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system. > > If this e-mail constitutes a commercial message of a type that you no longer wish to receive please reply to this e-mail by typing Unsubscribe in the subject line. > > > --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/
