will it all depends on several factors. how many forms do you have within
your site that result in content being inserted into the database and then
displayed on the page. If your CMS is the only place this happens and this
is password protected then you can afford to be more flexible about what
Dave, this is an interesting idea which we haven't pursued yet. I don't
have a clear sense of how the server configuration would work here. Would
you have two separate db servers (one for authored content and one for
published content) that would sync up? Or would you have an authoring
On Sun, Mar 2, 2014 at 11:21 PM, Nick Gleason n.glea...@citysoft.comwrote:
Hi guys,
Following up on this thread I have a related question - what are some
examples of XSS scenarios other than comments and forum posts.
Any other prominent risk scenarios for XSS?
There are a lot of
Pete,
Much appreciated. I guess where I'm being a bit of a dunce is that in your
example, if a malicious url.query variable was passed in by a hacker,
wouldn't the display only be available on that single request? And if I
come to the same search form 2 minutes later and do a normal search,
You could manage the web.config ip filter via cf.
You can also have the option to disable 2 factor authentication for a
specific computer for 30 days which is a common option, using either a
cookie or ip logging.
Russ Michaels
www.michaels.me.uk
cfmldeveloper.com
cflive.net
cfsearch.com
On 3 Mar
Hi Russ,
This is very interesting. In this case, we limit failed logins to a fairly
small number before the login is disabled so in theory that would prevent
dictionary style attacks, even against fairly weak logins. If you think
that is flawed, let me know.
We've discussed adding an IP
Nick you are correct, strictly speaking. That simple example is harmless,
it runs only one time and is 'visible' only to the single client. Consider
what happens if the payload that is executed is nowhere nearly as benign.
At that point, code of some kind is being executed on your server that
To clarify, I was oversimplifying above when I said 'code is being executed
on your server'. Pete's script example would of course need to link up
with some other vulnerability for that to happen (i.e. an unpatched exploit
of some kind).
Since you can't predict such things, you minimize the
Why are people so vehemently opposed so to CFForm?
Many TIA in advance,
Curious-G!
--
Gerald Guido
Twitter https://twitter.com/CozmoTrouble
Blarg http://www.myinternetisbroken.com
Facebook https://www.facebook.com/gerald.guido.9
My bad: Why are people so vehemently opposed to CFForm?
G!
--
Gerald Guido
Twitter https://twitter.com/CozmoTrouble
Blarg http://www.myinternetisbroken.com
Facebook https://www.facebook.com/gerald.guido.9
On Mon, Mar 3, 2014 at 10:39 PM, Gerald Guido gerald.gu...@gmail.comwrote:
Why are
In a nutshell
Because it's a bloated, outdated, streaming pile of dung.
:-)
On Mar 3, 2014 10:43 PM, Gerald Guido gerald.gu...@gmail.com wrote:
My bad: Why are people so vehemently opposed to CFForm?
G!
--
Gerald Guido
Twitter https://twitter.com/CozmoTrouble
Blarg
ColdFusion is great, but avoid cfform, cfupdate, etc. If it seems to good
to be true, it is. Learn to build forms and queries manually. You'll be
much better off in the long run.
On Mon, Mar 3, 2014 at 8:57 PM, Matt Quackenbush quackfu...@gmail.comwrote:
In a nutshell
Because
I am going to ignore that.
Can I get a business case argument?
Thanxk
G!
--
Gerald Guido
Twitter https://twitter.com/CozmoTrouble
Blarg http://www.myinternetisbroken.com
Facebook https://www.facebook.com/gerald.guido.9
On Mon, Mar 3, 2014 at 11:57 PM, Matt Quackenbush
The business case is that it is bloated, outdated (i.e. the Javascript
libraries that it utilizes), and it is not even good Javascript at that.
Maybe you would be better served giving your case for it and then folks can
provide counterpoints.
But the answer to the question you asked is what I
I am acutely aware of the arguments on both sides.
But as I start rewriting our form validation system, as you have
Mr. Quackenbush, I really have to pose the question: Is the juice worth the
squeeze?
Food for thought
G!
--
Gerald Guido
Twitter https://twitter.com/CozmoTrouble
Blarg
I'm not sure what you're asking (saying?), but if you're asking me if it's
worth not using cfform the answer is a resounding hell yes! There is no
viable use case for cfform in my world.
On Mar 4, 2014 12:44 AM, Gerald Guido gerald.gu...@gmail.com wrote:
I am acutely aware of the arguments on
Not ever? As in 100% never?
Curious,
G!
--
Gerald Guido
Twitter https://twitter.com/CozmoTrouble
Blarg http://www.myinternetisbroken.com
Facebook https://www.facebook.com/gerald.guido.9
On Tue, Mar 4, 2014 at 12:56 AM, Matt Quackenbush quackfu...@gmail.comwrote:
I'm not sure what you're
Never. Ever. I have never used cfform and it's unfathomable to me to think
I ever would. The only conceivable efficiency for cfform is for a developer
that knows essentially nothing other than following along with his / her
WACK and got to the part that says, Oh, shiny!
And no, that's not
There is always better ways to do things than using the client side CF code. I
have not looked at the output of CFFORM JavaScript in ages, but if it has not
been updated at all theres a good chance its not fully compatible with
todays browsers.
There are also form validation frameworks.
19 matches
Mail list logo