Using information from a Ben Nadel atricle, jsStringFormat( htmlEditFormat()) seems to be catching insertions like <b> and escaping them.
However, I have tried a number of regex routines from http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks plus another from a CF article that I can't place at the moment, to catch statements like "select * from tblX" inserted into a text field. None of them seem to work. The number of articles and pages making recommendations and giving examples is overwhelming. Can someone provide a suggestion for protecting a site in addition to what I got from Nadel and using ScriptProtect? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359118 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm