***annuncioVideo***CFApplication lock OBJECT and EMBED (HTML tags), like they wrote in documentation page:
The ColdFusion MX cross-site scripting protection operation is done when ColdFusion MX processes the application settings at the beginning of a request. Thus, it can process the URL, and Cookie, CGI, and Form variables in a user’s request. By default, it replaces occurrences of the following tag names with the text InvalidTag: object, embed, script, applet, and meta. It allows these names in plain text, replaces the words if they are used as tag names.
OBJECT and EMBED tags are used for almost all online video sharing services. If you created a CMS when users can insert a shared video, you must skip this little trouble, without too many security bugs. An easy roadmap maybe change that tags before and after CFApplication, but changing only selected fields. I’ve tried with encrypt and decrypt and with CFWDDX too, all works good! Example1:
<cfif isDefined("form.video")> <cfwddx action="cfml2wddx" input="#form.video#" output="form.video"> </cfif> <cfapplication name="myApp" clientmanagement="yes" sessionmanagement="yes"> <cfif isDefined("form.video")> <cfwddx action="wddx2cfml" input="#form.video#" output="form.video"> </cfif>
Instead of CFWDDX you can use encrypt and decrypt:
<cfset key = "kt09j94rjfj438yhrf"> <cfif isDefined("form.video")> <cfset form.video=encryp(form.video,key)> </cfif> <cfapplication name="myApp" clientmanagement="yes" sessionmanagement="yes"> <cfif isDefined("form.video")> <cfset form.video=decrypt(form.video,key)> </cfif>
Bye. Have a good CFDay! (italian version)
Se trovi questo articolo su un blog diverso da “blog.merlinox.com” si tratta probabilmente di una copia non autorizzata. L’indirizzo originale di questo articolo è: Skip CFapplication locks (object, embed, …) scritto da Merlinox.
