Hi Andrew, But consider a CMS or 'landing page creator' that allows users to create their own landing pages - and insert their own google analytics code. So I would need to be able to tell antiSamy that I want to allow a specific script...
A google search didn't turn up anything. I guess I could use a regex to find it, strip it out, then run AntiSammy, then put the GA code back in... Brook -----Original Message----- From: Andrew Scott [mailto:andr...@andyscott.id.au] Sent: May-19-11 4:56 PM To: cf-talk Subject: RE: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS Anti Samy is brilliant, the way this is used is as a HTML string cleaner. What that means is that you define which configuration type you want, there are predefined configs like Slashdot to name but one. These configs are fully configurable to the HTML Elements. SlashDot config is what SlashDot itself uses to clean any user input from their site, that contains HTML inputs. Now as for your question, it doesn't clean the HTML that is first being server or generated by your Application. It cleans any text or string input, by passing it through the library, and then getting back a sanitized version that you can then do with. So that means your GA will still work because that came from the page itself, and you would not want to use GA in what people enter in your text boxes and text areas. Hope that helps. Regards, Andrew Scott http://www.andyscott.id.au/ > -----Original Message----- > From: Brook Davies [mailto:cft...@logiforms.com] > Sent: Friday, 20 May 2011 1:09 AM > To: cf-talk > Subject: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for > preventing XSS > > > Hi Guys, > > > > I'm currently using the safeText UDF > (http://www.cflib.org/udf.cfm/safetext) > to clean user submitted content, both HTML fragments and full HTML > documents. Based on some reading over at > http://www.petefreitag.com/item/760.cfm , I am considering using > AntiSammy instead. What I want to know is: > > > > 1. What are your experiences with this? > > 2. I need to be able to allow explicitly allow some script tags - like > the google analytics code. Is this possible with AntiSammy? > > 3. I'm gonna test this some more on my end, but I am guessing that > there would be substantially more overhead in instaniating and > invoking the > antiSpammy java classes and scanning 100 elements than there would > calling an application scoped UDF method. Does that sound right? I'm > gonna (time > permitting) test this today. > > > > Just thought I would post this (maybe someone who's not knee deep in > 'ColdFusion and Ajax Choices' nonsense) and see if anyone had any > experience with it before I jump in.. > > > > Brook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344735 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
