cfUniForm v4.6.0 - IMPORTANT PrettyComments XSS Vulnerability Fix Release
Posted on September 11, 2011 at 5:38 PM in ColdFusion, Uni-Form Tag Library, jQuery
IMPORTANT: If you have textareas in any of your forms, you will want to upgrade!
A big THANK YOU! to Marc Esher for identifying an XSS vulnerability with the plugin that cfUniForm had previously used for "expandable" textareas. Marc contacted the author of the PrettyComments jQuery plugin repeatedly in an effort to help the author resolve this issue. However, the author gave no indication that he was interested in a fix. Because of this, cfUniForm now uses Elastic for expandable textareas.
How does this affect me?
If you are just using cfUniForm "out-of-the-box", it will have no affect on you whatsoever, other than removing an XSS vulnerability in your forms. However, if you are using any of the following attributes, you might need to make some changes:
- configTextareaResize
- textareaMaxHeight
- textareaSetup
Elastic relies on CSS to handle things such as max-height, and accepts no configuration parameters. For this reason, each of the attributes listed above have been removed from cfUniForm, effective immediately.
Altering Max-Height
Should you wish to use custom values for the max-height, you can add the following to your site's CSS file:
- .resizableTextarea {max-height: 500px;}
Thanks, and Sorry!
Thank you again to Marc for identifying the issue and finding/testing a replacement to help keep your cfUniForm-powered forms safe!
I apologize for the inconvenience of having to upgrade your entire cfUniForm library, but we simply could not wait any longer for the author to take action.
Latest Articles
- No recent entries.
Categories
- ColdBox (21) [RSS]
- ColdFusion (92) [RSS]
- Fusebox (3) [RSS]
- General (22) [RSS]
- jQuery (15) [RSS]
- Kalendar (1) [RSS]
- Linux (1) [RSS]
- Mura CMS (1) [RSS]
- Railo (1) [RSS]
- Rants (5) [RSS]
- Transfer (8) [RSS]
- Uni-Form Tag Library (36) [RSS]
Quick Links
Blogs I Read
Calendar
S | M | T | W | T | F | S |
---|---|---|---|---|---|---|
« Oct | ||||||
1 | 2 | |||||
3 | 4 | 5 | 6 | 7 | 8 | 9 |
10 | 11 | 12 | 13 | 14 | 15 | 16 |
17 | 18 | 19 | 20 | 21 | 22 | 23 |
24 | 25 | 26 | 27 | 28 | 29 | 30 |
Subscribe
Enter a valid email address.
On 9/12/11 at 10:36 PM, Glenn said:
On 9/13/11 at 12:07 AM, Matt Quackenbush said:
On 12/30/11 at 6:54 AM, Matthew said:
On 2/9/12 at 6:07 AM, Matt Quackenbush said:
http://www.quackfuzed.com/demos/cfUniForm/
:-)
On 4/13/12 at 2:38 AM, George Murphy said:
On 6/13/12 at 9:43 PM, Matt Quackenbush said: