Re: Best practices for xss security in CMS?
will it all depends on several factors. how many forms do you have within your site that result in content being inserted into the database and then displayed on the page. If your CMS is the only place this happens and this is password protected then you can afford to be more flexible about what tags you allow. However relying on passwords alone is almost pointless these days unless you at the very least enforce some password strength, as your security is then only as strong as the person with the weakest password. You could consider some extra steps for any back end/cms system, such a restricting access by IP address, which is done at web server level. How you do this depends on how many users you have and if they have static IP's and if they are likley connect remotely from mobile devices etc. If you only have a small number of static IP's to allow, then do that. If adding specific IP's is bot viable, then use a VPN, and then just allow the IP of the VPN server, which will allow your users to connect from anywhere and any device as long as they have a vpn connection. The other other is 2 factor authentication. This is actually easier than it seems, take a look at google authenticator for a real simple solution. On Mon, Mar 3, 2014 at 4:12 AM, Nick Gleason n.glea...@citysoft.com wrote: Hi Russ, Yes, we can definitely turn these tags on and off. The challenge is that if we follow OWASP closely, then we shut off tags that clients genuinely need (e.g. iframe for youtube content). So, we're trying to figure out how to give clients adequate features without opening up too much risk. Of course, publishing is behind a login so there is that kind of restriction in place before you even get to an editor to publish. I'm curious how wordpress handles this issue. From the little research I have done, it seems that none of these tags (iframe, embed, object) are blocked by default in wordpress installations. I would think that would open them up to some risk, but perhaps having the editor behind a secure login mitigates the risk to a large extent. Thanks again! Nick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Friday, February 28, 2014 9:39 AM To: cf-talk Subject: Re: Best practices for xss security in CMS? with any decent editor including CKeditor and tinyMCE, you can specify down to a granular level which html tags and attributes are allowed/not allowed, just check the docs and there should be a config file somewhere in your CMS that instantiates the editor where you can modify these settings. So it is pretty easy to do as you need. It is also a good idea to restrict other tags to avoid numpty editors from just copying and pasting content which screws up the layout. On Fri, Feb 28, 2014 at 4:29 PM, Dave Watts dwa...@figleaf.com wrote: I'm very interested in your feedback on best practices when 1) trying to mitigate risk of XSS and other hacks while 2) providing CMS functionality that includes a web editor that clients use to publish web pages. For example, there are many tags like style, iframe, and embed that are considered risks by OWASP and others but are also typically needed by CMS users to create web pages, embed youtube videos, and the like. We're thinking through how to manage the trade offs so that we protect clients but don't frustrate them in making their web pages. I'd love to know how others are managing these issues effectively. Our users who are creating web pages with an editor (FCKeditor) are generally working behind a login as administrators, so there is that login security - not anyone can use the editor to create a web page. But, we have generally had a lot more security than that. I'm assuming that there are users of Mura, Farcry and other CMS's on this list and I'd love to know how you have addressed these risks. While Pete's responses are great (as always), you might also consider whether you can apply more traditional network access controls to the problem. For example, you might be able to separate authoring from publishing entirely, so that authors go to one server and viewers just go to the production publishing server. We do this for quite a few of our customers. This isn't necessarily a replacement for client injection risk mitigation, but it can be a great complement. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive:
Re: Best practices for xss security in CMS?
Dave, this is an interesting idea which we haven't pursued yet. I don't have a clear sense of how the server configuration would work here. Would you have two separate db servers (one for authored content and one for published content) that would sync up? Or would you have an authoring infrastructure that would then generate more traditional static html? I'm just trying to get a sense of how the separation would work. It can vary, but it's usually pretty simple: an authoring environment and a production environment where content is published. This by itself really has nothing to do with preventing XSS on its face, but it prevents unauthorized users from being able to create content - the production environment simply has no way to allow users to create or edit content. These environments typically either share a database, or data is migrated automatically from one database to another. Of course, we still need to sanitize content prior to production, but we only have to worry about people with access to the physical network where the authoring environment lives. This is often a fairly small group, and hopefully a more trustworthy group. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357811 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
On Sun, Mar 2, 2014 at 11:21 PM, Nick Gleason n.glea...@citysoft.comwrote: Hi guys, Following up on this thread I have a related question - what are some examples of XSS scenarios other than comments and forum posts. Any other prominent risk scenarios for XSS? There are a lot of scenarios, essentially anywhere you output a variable that originated in some part from an external source. So for example, let's say you have a search form for your site with some code like this: cfoutputYour search for #url.query# returned #search.recordcount# results/cfoutput There is an XSS risk there because someone could create a link to /search.cfm?query=scriptalert('xss')/script (now if you try that example in a modern browser you will find that it might not actually work due to the builtin XSS protection in browsers, but the hole is there and there are ways to bypass the browsers xss protection). So basically any time you take a variable that comes from the user or some other untrusted source and output it, you have the potential for an XSS hole. Also you should checkout Content-Security-Policy headers this can help reduce XSS risks significantly on browsers that support it. See: http://content-security-policy.com/ for more info or come to my cf.Objective(2014) presentation :) -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357812 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS? - Related Question
Pete, Much appreciated. I guess where I'm being a bit of a dunce is that in your example, if a malicious url.query variable was passed in by a hacker, wouldn't the display only be available on that single request? And if I come to the same search form 2 minutes later and do a normal search, won't it be clean? I guess that, assuming we have no sql injection to the db, I don't see how that attack stays persistent (as it would possibly for a comment or forum post). Sorry to be over-simple on this. Re: the content security policy, that looks very interesting. Watching a presentation on it now. One quick question. If we are using that on a site and then an admin comes in and uses an iframe widget from youtube to display a video on a page in the site, does that get filtered by CSP (and require an exception for youtube)? I gather that would need to be excepted in the frame-src header, right? Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357813 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS?
You could manage the web.config ip filter via cf. You can also have the option to disable 2 factor authentication for a specific computer for 30 days which is a common option, using either a cookie or ip logging. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 3 Mar 2014 22:22, Nick Gleason n.glea...@citysoft.com wrote: Hi Russ, This is very interesting. In this case, we limit failed logins to a fairly small number before the login is disabled so in theory that would prevent dictionary style attacks, even against fairly weak logins. If you think that is flawed, let me know. We've discussed adding an IP filter, although I was thinking that we would try to do it within the application code rather than at the web server in case someone doesn't have access to the web server configuration. I suppose it could be done in web.config as well (on IIS), but it seems like it would be easier for client to manage to have the IP list within the user's record. It would be nice if we could essentially ban all foreign IPs from admin access (when it made sense for a client), but when researching that a while back it seemed a little tricky. With google style 2 factor authentication, I get the idea of requesting a numeric code in a text message - that doesn't sound terribly complicated. But, I'm sure that people would want to elect to stay logged in on this computer and I'm not clear on how best to manage that. Thanks again. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357815 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Best practices for xss security in CMS?
Hi Russ, This is very interesting. In this case, we limit failed logins to a fairly small number before the login is disabled so in theory that would prevent dictionary style attacks, even against fairly weak logins. If you think that is flawed, let me know. We've discussed adding an IP filter, although I was thinking that we would try to do it within the application code rather than at the web server in case someone doesn't have access to the web server configuration. I suppose it could be done in web.config as well (on IIS), but it seems like it would be easier for client to manage to have the IP list within the user's record. It would be nice if we could essentially ban all foreign IPs from admin access (when it made sense for a client), but when researching that a while back it seemed a little tricky. With google style 2 factor authentication, I get the idea of requesting a numeric code in a text message - that doesn't sound terribly complicated. But, I'm sure that people would want to elect to stay logged in on this computer and I'm not clear on how best to manage that. Thanks again. Nick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357814 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
Nick you are correct, strictly speaking. That simple example is harmless, it runs only one time and is 'visible' only to the single client. Consider what happens if the payload that is executed is nowhere nearly as benign. At that point, code of some kind is being executed on your server that does something you don't intend, and regardless of the fact it only executes once, it could make all sorts of mischief depending on its level of sophistication. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357816 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices for xss security in CMS? - Related Question
To clarify, I was oversimplifying above when I said 'code is being executed on your server'. Pete's script example would of course need to link up with some other vulnerability for that to happen (i.e. an unpatched exploit of some kind). Since you can't predict such things, you minimize the number of liberties someone can take with your server's tender innocence. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357817 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Honest question about cfform
Why are people so vehemently opposed so to CFForm? Many TIA in advance, Curious-G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357818 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Honest question about cfform
My bad: Why are people so vehemently opposed to CFForm? G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 10:39 PM, Gerald Guido gerald.gu...@gmail.comwrote: Why are people so vehemently opposed so to CFForm? Many TIA in advance, Curious-G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357819 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Honest question about cfform
In a nutshell Because it's a bloated, outdated, streaming pile of dung. :-) On Mar 3, 2014 10:43 PM, Gerald Guido gerald.gu...@gmail.com wrote: My bad: Why are people so vehemently opposed to CFForm? G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 10:39 PM, Gerald Guido gerald.gu...@gmail.com wrote: Why are people so vehemently opposed so to CFForm? Many TIA in advance, Curious-G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357820 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Honest question about cfform
ColdFusion is great, but avoid cfform, cfupdate, etc. If it seems to good to be true, it is. Learn to build forms and queries manually. You'll be much better off in the long run. On Mon, Mar 3, 2014 at 8:57 PM, Matt Quackenbush quackfu...@gmail.comwrote: In a nutshell Because it's a bloated, outdated, streaming pile of dung. :-) On Mar 3, 2014 10:43 PM, Gerald Guido gerald.gu...@gmail.com wrote: My bad: Why are people so vehemently opposed to CFForm? G! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357821 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Honest question about cfform
I am going to ignore that. Can I get a business case argument? Thanxk G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 11:57 PM, Matt Quackenbush quackfu...@gmail.comwrote: In a nutshell Because it's a bloated, outdated, streaming pile of dung. :-) On Mar 3, 2014 10:43 PM, Gerald Guido gerald.gu...@gmail.com wrote: My bad: Why are people so vehemently opposed to CFForm? G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 10:39 PM, Gerald Guido gerald.gu...@gmail.com wrote: Why are people so vehemently opposed so to CFForm? Many TIA in advance, Curious-G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357822 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Honest question about cfform
The business case is that it is bloated, outdated (i.e. the Javascript libraries that it utilizes), and it is not even good Javascript at that. Maybe you would be better served giving your case for it and then folks can provide counterpoints. But the answer to the question you asked is what I gave. ;-) On Mar 4, 2014 12:06 AM, Gerald Guido gerald.gu...@gmail.com wrote: I am going to ignore that. Can I get a business case argument? Thanxk G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 11:57 PM, Matt Quackenbush quackfu...@gmail.com wrote: In a nutshell Because it's a bloated, outdated, streaming pile of dung. :-) On Mar 3, 2014 10:43 PM, Gerald Guido gerald.gu...@gmail.com wrote: My bad: Why are people so vehemently opposed to CFForm? G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 10:39 PM, Gerald Guido gerald.gu...@gmail.com wrote: Why are people so vehemently opposed so to CFForm? Many TIA in advance, Curious-G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357823 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Honest question about cfform
I am acutely aware of the arguments on both sides. But as I start rewriting our form validation system, as you have Mr. Quackenbush, I really have to pose the question: Is the juice worth the squeeze? Food for thought G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Tue, Mar 4, 2014 at 12:24 AM, Matt Quackenbush quackfu...@gmail.comwrote: The business case is that it is bloated, outdated (i.e. the Javascript libraries that it utilizes), and it is not even good Javascript at that. Maybe you would be better served giving your case for it and then folks can provide counterpoints. But the answer to the question you asked is what I gave. ;-) On Mar 4, 2014 12:06 AM, Gerald Guido gerald.gu...@gmail.com wrote: I am going to ignore that. Can I get a business case argument? Thanxk G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 11:57 PM, Matt Quackenbush quackfu...@gmail.com wrote: In a nutshell Because it's a bloated, outdated, streaming pile of dung. :-) On Mar 3, 2014 10:43 PM, Gerald Guido gerald.gu...@gmail.com wrote: My bad: Why are people so vehemently opposed to CFForm? G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 10:39 PM, Gerald Guido gerald.gu...@gmail.com wrote: Why are people so vehemently opposed so to CFForm? Many TIA in advance, Curious-G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357824 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Honest question about cfform
I'm not sure what you're asking (saying?), but if you're asking me if it's worth not using cfform the answer is a resounding hell yes! There is no viable use case for cfform in my world. On Mar 4, 2014 12:44 AM, Gerald Guido gerald.gu...@gmail.com wrote: I am acutely aware of the arguments on both sides. But as I start rewriting our form validation system, as you have Mr. Quackenbush, I really have to pose the question: Is the juice worth the squeeze? Food for thought G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Tue, Mar 4, 2014 at 12:24 AM, Matt Quackenbush quackfu...@gmail.com wrote: The business case is that it is bloated, outdated (i.e. the Javascript libraries that it utilizes), and it is not even good Javascript at that. Maybe you would be better served giving your case for it and then folks can provide counterpoints. But the answer to the question you asked is what I gave. ;-) On Mar 4, 2014 12:06 AM, Gerald Guido gerald.gu...@gmail.com wrote: I am going to ignore that. Can I get a business case argument? Thanxk G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 11:57 PM, Matt Quackenbush quackfu...@gmail.com wrote: In a nutshell Because it's a bloated, outdated, streaming pile of dung. :-) On Mar 3, 2014 10:43 PM, Gerald Guido gerald.gu...@gmail.com wrote: My bad: Why are people so vehemently opposed to CFForm? G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 10:39 PM, Gerald Guido gerald.gu...@gmail.com wrote: Why are people so vehemently opposed so to CFForm? Many TIA in advance, Curious-G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357825 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Honest question about cfform
Not ever? As in 100% never? Curious, G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Tue, Mar 4, 2014 at 12:56 AM, Matt Quackenbush quackfu...@gmail.comwrote: I'm not sure what you're asking (saying?), but if you're asking me if it's worth not using cfform the answer is a resounding hell yes! There is no viable use case for cfform in my world. On Mar 4, 2014 12:44 AM, Gerald Guido gerald.gu...@gmail.com wrote: I am acutely aware of the arguments on both sides. But as I start rewriting our form validation system, as you have Mr. Quackenbush, I really have to pose the question: Is the juice worth the squeeze? Food for thought G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Tue, Mar 4, 2014 at 12:24 AM, Matt Quackenbush quackfu...@gmail.com wrote: The business case is that it is bloated, outdated (i.e. the Javascript libraries that it utilizes), and it is not even good Javascript at that. Maybe you would be better served giving your case for it and then folks can provide counterpoints. But the answer to the question you asked is what I gave. ;-) On Mar 4, 2014 12:06 AM, Gerald Guido gerald.gu...@gmail.com wrote: I am going to ignore that. Can I get a business case argument? Thanxk G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 11:57 PM, Matt Quackenbush quackfu...@gmail.com wrote: In a nutshell Because it's a bloated, outdated, streaming pile of dung. :-) On Mar 3, 2014 10:43 PM, Gerald Guido gerald.gu...@gmail.com wrote: My bad: Why are people so vehemently opposed to CFForm? G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 10:39 PM, Gerald Guido gerald.gu...@gmail.com wrote: Why are people so vehemently opposed so to CFForm? Many TIA in advance, Curious-G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357826 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Honest question about cfform
Never. Ever. I have never used cfform and it's unfathomable to me to think I ever would. The only conceivable efficiency for cfform is for a developer that knows essentially nothing other than following along with his / her WACK and got to the part that says, Oh, shiny! And no, that's not actually efficient. I wouldn't even use cfform for a prototype of the most basic of applications. Seriously. On Mar 4, 2014 1:01 AM, Gerald Guido gerald.gu...@gmail.com wrote: Not ever? As in 100% never? Curious, G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Tue, Mar 4, 2014 at 12:56 AM, Matt Quackenbush quackfu...@gmail.com wrote: I'm not sure what you're asking (saying?), but if you're asking me if it's worth not using cfform the answer is a resounding hell yes! There is no viable use case for cfform in my world. On Mar 4, 2014 12:44 AM, Gerald Guido gerald.gu...@gmail.com wrote: I am acutely aware of the arguments on both sides. But as I start rewriting our form validation system, as you have Mr. Quackenbush, I really have to pose the question: Is the juice worth the squeeze? Food for thought G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Tue, Mar 4, 2014 at 12:24 AM, Matt Quackenbush quackfu...@gmail.com wrote: The business case is that it is bloated, outdated (i.e. the Javascript libraries that it utilizes), and it is not even good Javascript at that. Maybe you would be better served giving your case for it and then folks can provide counterpoints. But the answer to the question you asked is what I gave. ;-) On Mar 4, 2014 12:06 AM, Gerald Guido gerald.gu...@gmail.com wrote: I am going to ignore that. Can I get a business case argument? Thanxk G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 11:57 PM, Matt Quackenbush quackfu...@gmail.com wrote: In a nutshell Because it's a bloated, outdated, streaming pile of dung. :-) On Mar 3, 2014 10:43 PM, Gerald Guido gerald.gu...@gmail.com wrote: My bad: Why are people so vehemently opposed to CFForm? G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 On Mon, Mar 3, 2014 at 10:39 PM, Gerald Guido gerald.gu...@gmail.com wrote: Why are people so vehemently opposed so to CFForm? Many TIA in advance, Curious-G! -- Gerald Guido Twitter https://twitter.com/CozmoTrouble Blarg http://www.myinternetisbroken.com Facebook https://www.facebook.com/gerald.guido.9 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357827 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Honest question about cfform
There is always better ways to do things than using the client side CF code. I have not looked at the output of CFFORM JavaScript in ages, but if it has not been updated at all theres a good chance its not fully compatible with todays browsers. There are also form validation frameworks. One that I know of is ValidateThis http://www.validatethis.org/ Im not sure if this will work in your case. Its worth at least looking into it. There are options and most will be better than CFFORM. Regards, Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357828 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm