On 3/6/07, Dave Watts <[EMAIL PROTECTED]> wrote: > And, if you're going to allow users to provide arbitrary JavaScript,
Its what the client demanded and based on their needs it was a justifiable request. By 'draconian' I meant that the protection is applied to all form inputs, regardless of user authentication or anything else you as a developer want to throw into the mix. Throwing a complete blanket over everything without regard to allowing individual exceptions is where I have a problem. By all means protect yourself from XSS, but I disagree with a system that doesn't allow you to bypass the rules as a developer if there's a good reason to do so. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271792 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4