Author: Steven Neiland
Published:

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

This week I encountered an annoying bug in my blog editor that had me ready to tear my hair out.

On odd occasions I like to embed videos that I find interesting in my blog. However when I tried to post one this week I encountered a strange error. Every time I submitting my blog post the video would fail to appear on the public side of the site.

Tags Being Changed

A quick look showed that the object and embed tags were being changed when the form was submitted.

Before

This is the code I was pasting into my form text area.

<object width="560" height="315">
..snip some params ..
<embed src="{some url}" type="application/x-shockwave-flash" width="560" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>

After

And this is the code that came back from the database. Notice how both the opening embed and object tags have been changed to "invalidTag".

<invalidTag width="560" height="315">
..snip some params ..
<invalidTag src="{some url}" type="application/x-shockwave-flash" width="560" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>

The Culprit

My first thought was that this had something to do with my recent site update to html5 but a quick test with a simple transient html4 form yielded the same results. After about ten minutes of searching DDG turned up a post by Ray Camden from 2007 about the same error.

It turns out that when I turned on script protection a couple of months ago I introduced this problem duh. As I only embed videos on rare occasions I simply did not notice until this week.

Well the easy fix was to turn off script protection in the cfadmin. Since I already strip out code from public form inputs it was not needed. As an alternative to turning off script protection in the cf admin you can turn it off on a per application basis by putting this setting in your Application.cfc file.

<cfset this.scriptProtect="false">

What Do You Think?

Reader Comments

Navin's Gravatar
Navin
Tuesday, May 2, 2017 at 8:18:59 AM EDT

Thank you so very much! I was tearing my hair out trying to fix this issue for 5 hours..

Post a Comment

Comment Etiquette:

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain or appear to be advertisments, will not be published.
  • Comments that appear to be created for the purpose of linkbuilding to commercial sites will be removed.

We are all adults here so play nice.

*
*



Archives Blog Listing

Tag Listing

Learn CF In A Week

Treehouse

 
Fork me on GitHub