QuackFuzed [ Ramblings of a Con..ColdFuzed Mind ]

cfUniForm v4.6.0 - IMPORTANT PrettyComments XSS Vulnerability Fix Release

Posted on September 11, 2011 at 5:38 PM in ColdFusion, Uni-Form Tag Library, jQuery

IMPORTANT: If you have textareas in any of your forms, you will want to upgrade!

A big THANK YOU! to Marc Esher for identifying an XSS vulnerability with the plugin that cfUniForm had previously used for "expandable" textareas. Marc contacted the author of the PrettyComments jQuery plugin repeatedly in an effort to help the author resolve this issue. However, the author gave no indication that he was interested in a fix. Because of this, cfUniForm now uses Elastic for expandable textareas.

How does this affect me?

If you are just using cfUniForm "out-of-the-box", it will have no affect on you whatsoever, other than removing an XSS vulnerability in your forms. However, if you are using any of the following attributes, you might need to make some changes:

• configTextareaResize
• textareaMaxHeight
• textareaSetup

Elastic relies on CSS to handle things such as max-height, and accepts no configuration parameters. For this reason, each of the attributes listed above have been removed from cfUniForm, effective immediately.

Altering Max-Height

Should you wish to use custom values for the max-height, you can add the following to your site's CSS file:

1. .resizableTextarea {max-height: 500px;}

Thanks, and Sorry!

Thank you again to Marc for identifying the issue and finding/testing a replacement to help keep your cfUniForm-powered forms safe!

I apologize for the inconvenience of having to upgrade your entire cfUniForm library, but we simply could not wait any longer for the author to take action.

Comments

(Comment Moderation is enabled. Your comment will not appear until approved.)

On 9/12/11 at 10:36 PM, Glenn said:

Thanks for the latest update & fixing the XSS vulnerability. Just installed and all appears to be well. :-)

On 9/13/11 at 12:07 AM, Matt Quackenbush said:

@ Glen - The thanks goes to Marc Esher, seriously! But I *am* super glad to hear that it all appears well for you. :-)

On 12/30/11 at 6:54 AM, Matthew said:

Where do I find basic documentation on this project? Thanks

On 2/9/12 at 6:07 AM, Matt Quackenbush said:

@ Matthew - Somehow missed this comment, but in case you have not yet found it, the link is under the "Quick Links" on every page. Or here:

http://www.quackfuzed.com/demos/cfUniForm/

:-)

On 4/13/12 at 2:38 AM, George Murphy said:

Hi Matt, I'll see you at cfObejective. Quick question, have you done any demo pages for use of the jQuery UI? Like tabs and things like that?

On 6/13/12 at 9:43 PM, Matt Quackenbush said:

@ George - It was great to see you at cf.Objective(). Looks like I've not gotten the latest updates on the demo section, but the jQuery UI demos are in the GitHub repo. HTH!

[Add Comment]