Manualshelf

User Guide

ManualsBrandsMacromedia ManualsOtherCOLFUSION MX 7-CFML REFERENCE
41424344454647484950
cfapplication 43
The ColdFusion MX cross-site scripting protection operation is done when ColdFusion MX
processes the application settings at the beginning of a request. Thus, it can process the URL, and
Cookie, CGI, and Form variables in a users request. By default, it replaces occurrences of the
following tag names with the text InvalidTag: object, embed, script, applet, and meta. It allows
these names in plain text, replaces the words if they are used as tag names.
You can specify any or all ColdFusion scopes for protection, but only the Form, URL, CGI, and
Cookie scopes have variables that are often provided by unknown sources. Also, protecting a
scope requires additional processing. For these reasons, the
all attribute value applies protection
to only the four scopes.
The script protection mechanism applies a regular expression that is defined in the
cf_root/lib/
neo-security.xml file in the server configuration, or the
cf_root/WEB-INF/cfusion/lib/neo-
security.xml file in the J2EE configuration to the variable value. You can customize the patterns
that ColdFusion replaces by modifying the regular expression in the CrossSiteScriptPatterns
variable.
Locking server, application, and session variables
When you set or update variables in the server, application, and session scopes, use the cflock tag
with the
scope attribute set to the following value:
For server variables, specify "server"
For application variables, specify "application"
For session variables, specify "session"
In some cases, you should also lock code that reads variables in these scopes. For information
about locking scopes, see
cflock on page 270.
Example
<!--- This example shows how to use cflock to prevent race conditions during
data updates to variables in Application, Server, and Session scopes. --->
<h3>cfapplication Example</h3>
<p>cfapplication defines scoping for a ColdFusion application and enables or
disables application and/or session variable storage. This tag is placed in
a special file called Application.cfm that automatically runs before any
other CF page in a directory (or subdirectory) where the Application.cfm
file appears.</p>
<cfapplication name = "ETurtle"
sessionTimeout = #CreateTimeSpan(0, 0, 0, 60)#
sessionManagement = "Yes">
<!--- Initialize session and application variables used by E-Turtleneck. --->
<cfparam name="application.number" default="1">
<cfparam name="session.color" default= "">
<cfparam name="session.size" default="">
<cfif IsDefined("session.numPurchased") AND
IsNumeric(trim(session.cartTotal))>