Cindi, You need to use HTMLedit format in the handler... where's the code that takes the Post request and does something with it?
-Mark Mark A. Kruger, MCSE, CFG (402) 408-3733 ext 105 Skype: markakruger www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: cindi gannon [mailto:cindi.gan...@bnymellon.com] Sent: Friday, August 27, 2010 1:00 PM To: cf-talk Subject: HTMLEditFormat and Cross Site Scripting New to the cross site scripting arena - trying to prevent users from entering javascript into form fields and the javascript from executing. Pretty much anything goes in the form fields - so I am trying to add htmleditformat to my code - but the javascript is still executing when I click submit. What am I doing wrong?? No matter what, anytime I put in some script code into the ID input box - the JS gets executed. code: <form action=3D"index.cfm" method=3D"POST" name=3D"myForm"> <cfoutput> <tr><td align=3D"right" class=3D"text9"> Enter ID:</td><td><input type=3D"text" name=3D"logName" value=3D"#HtmlEditFormat(VARIABLES.logName)#" size=3D"12"></td></tr> </cfoutput> <tr><td align=3D"center" colspan=3D"2" > <input type=3D"submit" name=3D"submit" id=3D"subbtn" title=3D"Submit" value=3D"Submit" /> </td></tr> </FORM> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336626 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm