asked on
I'm concerned about XSS attacks. I did some reading about, and have tried to implement, the HTMLEditFormat() function.
However, when I use HTMLEditFormat() in a form input, or in a CFOUTPUT, the output on the page is the raw HTML code.
For example, if I do this:
http://www.coalcountryteam.org/index.cfm?PageID=76
Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?
Sorry to be asking so many questions of late. =) I really appreciate people's time.
Eric B
However, when I use HTMLEditFormat() in a form input, or in a CFOUTPUT, the output on the page is the raw HTML code.
For example, if I do this:
<cfquery name="UpdatePage" datasource="#ds#">
UPDATE tbl_acct_navigation
SET
PageTitle = <cfqueryparam cfsqltype="cf_sql_varchar" value="#HTMLEditFormat(form.PageTitle)#">,
PageContentLeft = <cfqueryparam cfsqltype="cf_sql_varchar" value="#HTMLEditFormat(form.PageContentLeft)#">,
PageContentRight = <cfqueryparam cfsqltype="cf_sql_varchar" value="#HTMLEditFormat(form.PageContentRight)#">,
DateModified = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">
WHERE PageID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.PageID)#">
</cfquery>
http://www.coalcountryteam.org/index.cfm?PageID=76
Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?
Sorry to be asking so many questions of late. =) I really appreciate people's time.
Eric B
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 10 Answers and 26 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.