This week I encountered an annoying bug in my blog editor that had me ready to tear my hair out.
On odd occasions I like to embed videos that I find interesting in my blog. However when I tried to post one this week I encountered a strange error. Every time I submitting my blog post the video would fail to appear on the public side of the site.
A quick look showed that the object and embed tags were being changed when the form was submitted.
This is the code I was pasting into my form text area.
And this is the code that came back from the database. Notice how both the opening embed and object tags have been changed to "invalidTag".
..snip some params ..
My first thought was that this had something to do with my recent site update to html5 but a quick test with a simple transient html4 form yielded the same results. After about ten minutes of searching DDG turned up a post by Ray Camden from 2007 about the same error.
It turns out that when I turned on script protection a couple of months ago I introduced this problem duh. As I only embed videos on rare occasions I simply did not notice until this week.
Well the easy fix was to turn off script protection in the cfadmin. Since I already strip out code from public form inputs it was not needed. As an alternative to turning off script protection in the cf admin you can turn it off on a per application basis by putting this setting in your Application.cfc file.
<cfset this.scriptProtect="false">
Since the article was originally written the behavior of script protect has changed slightly. You now set the option to "none". For more information see this link.
Thanks to Clark Baker for the update.