[thelist] removing line feed and carriage return characters incoldfusion

Chris Hayes chris at lwcdial.net
Fri Jul 21 17:55:07 CDT 2006


Can't see how this affects CFMAIL.

If anybody can I'd be keen to look into it further.


If you're going to replace CRLF you should use replacenocase(string, 
replace_string, "ALL")  as regex replaces are slower
 than a straight replace, and I think case is irrelevant with CRLF.

 the CF for CRLF is "'#chr(10)##chr(13)#"...  this should work for REReplace




----- Original Message ----- 
From: "Sarah Adams" <mrsanders at designshift.com>
To: "thelist" <thelist at lists.evolt.org>
Sent: Friday, July 21, 2006 6:03 PM
Subject: [thelist] removing line feed and carriage return characters
incoldfusion


> In my reading about how to prevent email header injection attacks, I've
> seen many references to removing the following new line characters:
>
> \n and %0A - line feed
> \r and %0D - carriage return
>
> Unfortunately all the articles I found were specific to PHP, so I'm not
> quite sure how to translate this into ColdFusion. Here's what I was
> thinking:
>
> <cfif REFindNoCase("[\n#Chr(10)#\r#Chr(13)#]", Form.Email)>
>
> But I'm really not sure if Chr(10) is equivalent to %0A (or, for that
> matter, why checking for \n and \r isn't enough). Suggestions?
>
> -- 
> sarah adams
> web developer & programmer
> portfolio: http://sarah.designshift.com
> blog: http://hardedge.ca
> -- 
>
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.10.3/394 - Release Date: 20/07/2006
>
>




More information about the thelist mailing list