Disable Global Script Protection on a Per-Request Basis?

Question

Is there a way to disable global script protection on a per-request basis? For example, if you have an admin section where customers can generate HTML for display on a page, and you want to allow them to embed a YouTube video, having global script protection turned on in the CF admin will result in the embed tag being replaced with InvalidTag. Is there a way to disable global script protection only on certain requests? I may not want general customers to embed YouTube videos in to their form field entries, but admins should be able to do so.

Thanks!

Owainnorth · Answer

I don't believe that's possible no, it's an Application-wide setting. You could go down the road of having a /admin directory with its own Application.cfc with script protection disabled, but I wouldn't recommend it.

Bear in mind as well that's a bit binary; either they can't post any code, or they can post whatever they want. This is why forums have special codes for people to enter which get around this. There's no point having the YouTube URL (and risk) involved in every post, so if it were me I'd do something like so:

1) Person posts their thread. Content like so:

"This is my post. It has words in it. Here is a video:
"

You store that.

When showing it back, you do something like so:

#reReplaceNoCase(str, \[YouTube\](.*?)\[\/YouTube]", '<object src="http://www.youtube.com/watch?v=\1"></object>', "all")#

</cfoutput>

(I haven't tested the code btw, might take some fiddling)

That way, you protect against script injection and allow people to post YouTube URLs.

', "all")#(I haven't tested the code btw, might take some fiddling)That way, you protect against script injection and allow people to post YouTube URLs.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded