Problem
I am working in a multi application environment. Recently I discovered a problem - when other applications hit my warehouse database, they insert some HTML tags, java-scripts. Those data are displaying in my system as report format in HTML, so the tags and scripts data are affecting my site. So, I started doing HtmlEditFormat() everywhere to protect my site, but I have almost a 1000 reports. It was a very bad task for me, so I tred to build up a function to do the job quickly without using HtmlFormat() function everywhere and without changing my warehouse data because all that data is valid.
Solution
That’s why I created an automated function which will refine data without modifying data in the database. It returns a query with any string values sanitized by HTMLEditFormat. Values of the type varchar,char,nvarchar,text,ntext are modified.
Detailed explanation
Example:
Then you can do this
<cfquery name= "groupList" datasource= "TestDSN">
select
ID,
GroupTypeID,
GroupName,
GroupDesc
from
groups
where
tiRecordStatus = 1
</cfquery>
<!---Now call queryh() function to escape html tag--->
<cfset groupList = queryh(groupList) />
This function will automaticaly look at those columns where a tag can be inserted.
Then this function automatically escape those bad data without changing or updating it into table.
Parameters:
| Name | Description | Required |
|---|---|---|
| query | Query to modify. | Yes |
Full UDF Source:
<!---
Returns a query with any string values sanitized by HTMLEditFormat.
@param query Query to modify. (Required)
@return Returns a query.
@author Kalyan Dhar (kalyan.cse.jis@gmail.com)
--->
<cffunction name=
"queryh" returnType=
"query" description=
"returns query after senitize descriptive fields">
<cfargument name=
"query" type=
"query" required=
"true">
<cfset
var list =
"" />
<cfset
var listSelect =
"varchar,char,nvarchar,text,ntext" />
<cfset
var column =
"">
<cfset
var metadata =
"">
<cfset
var type =
"">
<cfloop list=
"#query.ColumnList#" index=
"column">
<cfscript>
metadata = query.
getMetaData();
type = metadata.getColumnTypeName(query.findColumn(column));
</cfscript>
<cfif listFindNoCase(listSelect,type)>
<cfset
list =
listAppend(list,column)>
</cfif>
</cfloop>
<cfif listLen(list)>
<cfloop query=
"query">
<cfloop list=
"#list#" index=
"column">
<cfset
querySetCell(query, column,
htmlEditFormat(query[column][currentRow]),currentRow)>
</cfloop>
</cfloop>
</cfif>
<cfreturn query />
</cffunction>
+
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. Permissions beyond the scope of this license, pertaining to the examples of code included within this work are available at Adobe.
