Published:
Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.
This week I encountered an annoying bug in my blog editor that had me ready to tear my hair out.
On odd occasions I like to embed videos that I find interesting in my blog. However when I tried to post one this week I encountered a strange error. Every time I submitting my blog post the video would fail to appear on the public side of the site.
Tags Being Changed
A quick look showed that the object and embed tags were being changed when the form was submitted.
Before
This is the code I was pasting into my form text area.
<object width="560" height="315">
..snip some params ..
<embed src="{some url}" type="application/x-shockwave-flash" width="560" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>
After
And this is the code that came back from the database. Notice how both the opening embed and object tags have been changed to "invalidTag".
<invalidTag width="560" height="315">
..snip some params ..
<invalidTag src="{some url}" type="application/x-shockwave-flash" width="560" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>
The Culprit
My first thought was that this had something to do with my recent site update to html5 but a quick test with a simple transient html4 form yielded the same results. After about ten minutes of searching DDG turned up a post by Ray Camden from 2007 about the same error.
It turns out that when I turned on script protection a couple of months ago I introduced this problem duh. As I only embed videos on rare occasions I simply did not notice until this week.
Well the easy fix was to turn off script protection in the cfadmin. Since I already strip out code from public form inputs it was not needed. As an alternative to turning off script protection in the cf admin you can turn it off on a per application basis by putting this setting in your Application.cfc file.
<cfset this.scriptProtect="false">
Update
Since the article was originally written the behavior of script protect has changed slightly. You now set the option to "none". For more information see this link.
<cfset this.scriptProtect = "none">
Thanks to Clark Baker for the update.
Reader Comments
Tuesday, May 2, 2017 at 8:18:59 AM Coordinated Universal Time
Thank you so very much! I was tearing my hair out trying to fix this issue for 5 hours..
@BenNadel
Wednesday, May 8, 2019 at 8:36:02 AM Coordinated Universal Time
Nice, this is exactly what I needed. Been a long time since I need to submit a Script tag as part of a form post!
Wednesday, August 28, 2019 at 5:20:08 AM Coordinated Universal Time
I tried adding <cfset this.scriptProtect="false"> in Application.cfm file for one client's website. It doesn't work! FYI, Its a Lucee server
Tuesday, May 19, 2020 at 10:10:12 AM Coordinated Universal Time
As far as I can tell, this no longer works as stated above. It needs to be <cfset this.scriptProtect = "none"> Other valid options are any combination of "cookie,url,form,cgi" https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-a-b/cfapplication.html If you want to disable this just for one template or a small group of templates you can put them in a subdirectory with their own application.cfc that extends your root application.cfc
@sneiland
Tuesday, May 19, 2020 at 10:39:44 AM Coordinated Universal Time
@ClarkBakerK12 Im not surprised its changed over the years although I cant find any notes as to when the behavior changed.