Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Using ColdFusion 8 I usually escape all my form inputs like so:
<input id="foo" value="#XMLFormat(trim( form_name.param_name ))#" />
So how about hidden inputs? Should these also be escaped? I haven’t tried, but I could very well pull a hidden input up in Firebug, enter whatever and try to submit, can I?
The goal of escaping in this case is to keep the HTML well formed so yes – hidden vars need to be escaped (or encoded) as well. I usually use urlencodedformat() for this. Consider what would happen if the value you were placing in the hidden var were a variable like this:
The output would actually look like this:
This would mean your hidden var would come through as “Bob ” … and the rest would be lost. The situation might get worse if any part of your strings contain HTML or slashes or angle brackets.