New to the cross site scripting arena - trying to prevent users from
entering javascript into form fields and the javascript from executing.
Pretty much anything goes in the form fields - so I am trying to add
htmleditformat to my code - but the javascript is still executing when I
click
-
From: cindi gannon [mailto:cindi.gan...@bnymellon.com]
Sent: Friday, August 27, 2010 1:00 PM
To: cf-talk
Subject: HTMLEditFormat and Cross Site Scripting
New to the cross site scripting arena - trying to prevent users from
entering javascript into form fields and the javascript from executing
is in there maliciously from
executing.
cfif isdefined(form.logname)
cfquery name=getuser datasource=#application.dsn#
select * from t_s1 u, t_s2 x where id =
'#htmleditformat(form.logname)#' and u.id = x.id
/cfquery
and then the form processes correctly. I'm just trying
to prevent the alert or whatever js code is in there maliciously from
executing.
cfif isdefined(form.logname)
cfquery name=getuser datasource=#application.dsn#
select * from t_s1 u, t_s2 x where id =
'#htmleditformat(form.logname)#' and u.id
cfqueryparam is your friend.
That has no effect on XSS. It simply prevents SQL injection.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber
Right.
Cindi posted an example of a cfquery and I responded with cfqueryparam is
your friend. Her query is vulnerable to sql injection.
On Fri, Aug 27, 2010 at 2:27 PM, Dave Watts dwa...@figleaf.com wrote:
cfqueryparam is your friend.
That has no effect on XSS. It simply prevents SQL
-
From: cindi.gan...@bnymellon.com [mailto:cindi.gan...@bnymellon.com]
Sent: Friday, August 27, 2010 1:20 PM
To: cf-talk
Subject: RE: HTMLEditFormat and Cross Site Scripting
Hi there - I have it in the handle as shown below - but the javascript
still executes,
so , if i put scriptalert
Hi folks,
It looks to me that in CF9, HTMLEditFormat no longer escapes text that's
already escaped. In other words, all these lines except the first one produce
identical results inside cfoutput (except for the line number, and assuming
this code makes it ok through email):
1
2 amp; quot
Hi Dave,
I believe this was bug #82039, which has been fixed in CF 9.0.1.
I ran your code in CF8, CF9, and CF9.0.1. Result in CF8 and CF9.0.1 was the
same.
Thanks!,
-Aaron Neff
It looks to me that in CF9, HTMLEditFormat no longer escapes text
that's already escaped
#82039, which has been fixed in CF 9.0.1.
I ran your code in CF8, CF9, and CF9.0.1. Result in CF8 and CF9.0.1 was the
same.
Thanks!,
-Aaron Neff
It looks to me that in CF9, HTMLEditFormat no longer escapes text
that's already escaped
Is it wise to use htmlEditFormat() on the value of password fields?
It is allowed for a user to enter as part of their password.
However, if I use htmlEditFormat(form.password) as the value of a
password field, it will escape it to amp;.
Therefore a password may end up being Mikeamp;Becky
Hi
Use htmlEditFormat()... The encodings ( - amp;, for example)
don't affect the actual value in the edit box... It only changes the
HTML used to get that value into the edit box (safely). Try it for
yourself to see... (and if I'm wrong, well damn, let me know and I will
have just learned
Is it wise to use htmlEditFormat() on the value of password fields?
I wouldn't be passing a value through to a password field at all. Makes it
too easy for someone to view source and see the existing password. For
example, Sarah has her password saved in Firefox. Sarah leaves the room
mm.. It actually does.
If you go..
cfset whoBobLikes = Mary kate
cfset sanitizeBob = htmleditFormat(whoBobLikes)
The variables sanitizeBob will become Mary amp; Kate.
Dawson, if I were you I would recommend using the htmleditformat() function
either only inside edit boxes, or while you're
Very good advice.
Thanks,
Mike
-Original Message-
From: Justin Scott [mailto:jscott-li...@gravityfree.com]
Sent: Friday, June 26, 2009 11:40 AM
To: cf-talk
Subject: RE: HTMLEditFormat() on Password Fields
Is it wise to use htmlEditFormat() on the value of password fields?
I
This is true.
Michael, what are you using this for? Are you using the htmlEditFormat() to
sanitize the passwords before they get inserted? Or are you using this to
output the users password to them in a textbox?
-Original Message-
From: Justin Scott [mailto:jscott-li...@gravityfree.com
.
But, I still think it's fine to default the username into the username
field.
Thanks,
Mike
-Original Message-
From: Paul Alkema [mailto:paulalkemadesi...@gmail.com]
Sent: Friday, June 26, 2009 11:51 AM
To: cf-talk
Subject: RE: HTMLEditFormat() on Password Fields
This is true.
Michael
I have a login form with username and password fields.
If the user typed something wrong, the page would
re-load with the values already entered so that it
could be corrected.
Ah, for those I wouldn't put the password back in either. In this case the
point is for the user to correct
Paul, you are correct in what htmlEditFormat does to its input, but not
in how it will be interpreted when used in a real form, like this:
cfset whoBobLikes = Mary kate
cfset sanitizeBob = htmleditFormat(whoBobLikes)
cfoutput
form action=dumpformvars.cfm
input name=x value=#sanitizeBob#
/form
Yeah, I misinterpreted the original email. I was under the impression that
the issue was that he was using htmleditformat() to sanitize his data before
inserting it into the database, then when the user tried to sign in, their
password's didn't match.
I see what you're saying, good point
Hello.
Does this work for anybody? I'm don't get anything escaped when I try this.
It just returns the string as is.
cfset str = hello world /
cfset strEscaped = HTMLEditFormat( str ) /
cfoutput#strEscaped#/cfoutput
I understand that its main purpose is to do this
cfoutput
and the browser will try to render a hello
tag (which it doesn't know, so it ignores it). If you wrap the string in an
HTMLEditFormat(), it will escape the and , and you'll see hello in the
browser, but viewing source will show lt;hellogt;
On Wed, Aug 27, 2008 at 10:01 AM, D T [EMAIL PROTECTED] wrote
(which it doesn't know, so it ignores it). If you wrap the string in an
HTMLEditFormat(), it will escape the and , and you'll see hello in the
browser, but viewing source will show lt;hellogt;
~|
Adobe® ColdFusion® 8
So what would the recommendation be IF, you wanted
the 5 to show (and any other possible characters) ...
but also be available for a tab delimited file export,
plain-text email or any other variation...
Only use htmleditformat() when displaying ( after retrieval ) or use 2
columns in the db
What versions of CF are you guys running? I am running
CF5 and have problems sometimes when I populate a
form field so I correct it with htmleditformat() but just out
of curiosity, are you all running MX or 5?
Perhaps they fixed the problems in MX.
This isn't actually a problem
I read a few posts about HtmlEditFormat() and was curious, if you are taking user
input from a form (input type = text or a textarea), should you always wrap
htmleditformat(form.variable) around the form variable as you stick it into the
database so as to preserve any single or double quotes
I read a few posts about HtmlEditFormat() and was curious, if you are
taking user input from a form (input type = text or a textarea), should
you always wrap htmleditformat(form.variable) around the form variable as
you stick it into the database so as to preserve any single or double
quotes
- Original Message -
From: S. Isaac Dealey [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Wednesday, July 17, 2002 4:31 PM
Subject: Re: HtmlEditFormat()
I read a few posts about HtmlEditFormat() and was curious, if you are
taking user input from a form (input type = text
if htmleditformat() included double-quotes as one
of the fields it escapes, but I know it escapes greater than or less than
symbols, so... say for instance, a user inputs
Hello - there
into a text field, then goes back and updates that data, they'll see
Hello -gt; there
in the form field if you've
Just FYI, I tested it out a number of times and 5 updated about 5 times
still produced 5 (viewing source it was 5quot;)
I actually tested # too ... and it seemed to work just fine as well --
Interesting.
I guess back to my original question, should I htmleditformat all my
textareas and text
IMO yes although things get tricky if you use double byte languages like
Japanese.
-Original Message-
From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 18 July 2002 3:05 p.m.
To: CF-Talk
Subject: Re: HtmlEditFormat()
Just FYI, I tested it out a number of times
Just FYI, I tested it out a number of times and 5 updated
about 5 times still produced 5 (viewing source it was 5quot;)
I actually tested # too ... and it seemed to work just
fine as well -- Interesting.
I guess back to my original question, should I htmleditformat
all my textareas
When the form is submitted, the quot; becomes etc. So they won't ever
end up in the database. (Correct me if I'm wrong.)
-Original Message-
From: S. Isaac Dealey [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 18 July 2002 3:28 p.m.
To: CF-Talk
Subject: Re: HtmlEditFormat()
Just
When the form is submitted, the quot; becomes etc. So
they won't ever end up in the database. (Correct me if I'm wrong.)
I don't believe so ... I believe when you post the form there is no
conversion of the contents of the form ... When you type gt; into a form
that's already loaded, you see
Uh, yes, of course. In a bit of a fluster here ;-)
-Original Message-
From: S. Isaac Dealey [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 18 July 2002 3:46 p.m.
To: CF-Talk
Subject: RE: HtmlEditFormat()
When the form is submitted, the quot; becomes etc. So
they won't ever end
What versions of CF are you guys running? I am running CF5 and have
problems sometimes when I populate a form field so I correct it with
htmleditformat() but just out of curiosity, are you all running MX or 5?
Perhaps they fixed the problems in MX.
Just Curious,
Jim Vosika
http://tinyclick.com
]
Sent: Wednesday, July 17, 2002 11:00 PM
Subject: RE: HtmlEditFormat()
Uh, yes, of course. In a bit of a fluster here ;-)
-Original Message-
From: S. Isaac Dealey [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 18 July 2002 3:46 p.m.
To: CF-Talk
Subject: RE: HtmlEditFormat
PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Wednesday, July 17, 2002 11:07 PM
Subject: RE: HtmlEditFormat()
What versions of CF are you guys running? I am running CF5 and have
problems sometimes when I populate a form field so I correct it with
htmleditformat() but just out of curiosity, are you
Why won't htmleditformat or htmlcodeformat work for you?
__
steve oliver
atnet solutions, inc.
http://www.atnetsolutions.com
-Original Message-
From: list peters [mailto:[EMAIL PROTECTED]]
Sent: Saturday, February 02, 2002 12:17 AM
To: CF-Talk
Subject
Why won't htmleditformat or htmlcodeformat work for you?
this
#160;#3605;#3634;#3619;#3634;#3591;
is why. these functions don't work with multibyte
char encoding like utf-8
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version
functions like htmleditformat - however i am using unicode with cold
fusion
glad to hear.
cfset content = Replace(content, , lt;, ALL)
cfset content = Replace(content, , gt;, ALL)
cfset content = Replace(content, , quot;, ALL)
as far as i know. i wonder if there's any js function
from a text. the function =
htmleditformat don't do it.
is there a function or an algorith to do it ?
2nd, i don't manage to pass an array thru an URL.=20
in a form i created an input text as : input type =3D text =
name=3Darray1[i] value=3D...
and i can't have the result in the destination page
42 matches
Mail list logo