<cfquery name="UpdatePage" datasource="#ds#">
UPDATE tbl_acct_navigation
SET
PageTitle = <cfqueryparam cfsqltype="cf_sql_varchar" value="#HTMLEditFormat(form.PageTitle)#">,
PageContentLeft = <cfqueryparam cfsqltype="cf_sql_varchar" value="#HTMLEditFormat(form.PageContentLeft)#">,
PageContentRight = <cfqueryparam cfsqltype="cf_sql_varchar" value="#HTMLEditFormat(form.PageContentRight)#">,
DateModified = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">
WHERE PageID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.PageID)#">
</cfquery>
.... then the page output displays the HTML code; the HTML is not parsed by the browser. You can see it here: <!--- set up protection against XSS --->
<cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
<cfset form.PageContentLeft) = ReReplaceNoCase (form.PageContentLeft), "<script.*?>.*?</script>", "", "all")>
<cfset form.PageContentRight) = ReReplaceNoCase (form.PageContentRight), "<script.*?>.*?</script>", "", "all")>
error text:
Error Occurred While Processing Request
Invalid CFML construct found on line 14 at column 22.
ColdFusion was looking at the following text:<p>)</p><p>The CFML compiler was processing:<ul><li>A cfset tag beginning on line 14, column 2.</ul>
The error occurred in C:/websites/www.coalcountryteam.org/admin/editPages.cfm: line 14
12 :
13 : <!--- set up protection against XSS scripts --->
14 : <cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
15 : <cfset form.PageContentLeft) = ReReplaceNoCase (form.PageContentLeft), "<script.*?>.*?</script>", "", "all")>
16 : <cfset form.PageContentRight) = ReReplaceNoCase (form.PageContentRight), "<script.*?>.*?</script>", "", "all")>
<p><strong>Page Title:</strong>
<cfinput
type="Text"
name="PageTitle"
value="#Trim(form.PageTitle)#"
message="Please enter a Document Title."
required="Yes"
validateAt="onSubmit,onServer"
size="50"
maxlength="255"></p>
<textarea name="PageContentLeft"
width="770"
height="800"
style="width:770px;height:800px;" wrap="virtual">
<cfoutput>#form.PageContentLeft#</cfoutput>
</textarea>
gdemaria it is good to hear from you.
I want to include almost all HTML. I use the TinyMCE editor to allow this client to enter content and update her web pages. I also need to use a wide range of HTML tags, so I don't want to block any valid HTML tags.
I would like to block stuff like <script>/remotehost/terrib
So I don't know if the HTMLEditFormat function is what I need. The Nadel article was great -- I like his blog a lot -- but Nadel mentions that developers need to be careful about escaping necessary HTML. (There are also some interesting notes about the vulnerabilities of scriptProtect. I have disabled scriptProtect in application.cfc, so that my client can embed video and slideshows using EMBED and OBJECT tags. Yet I wonder if in doing so I have made my application more vulnerable.)
So, I have been reading about XSS vulnerabilities, and I want to secure my application against them as much as I can; however, I don't know if HTMLEditFormat is what I need.
HTMLEditFormat makes my test page display HTML code -- which makes sense, given the way that I have used it.
Is HTMLEditFormat the right solution for this task? Is there a better way to block:
<script>/remotehost/terrib
Thank you again. Hope you are well.
Eric