ColdFusion, CFML, Open Source, and Friends

This is a blog post I have been contemplating for a long time, and I want to make sure I pick my words carefully so as not to send the wrong message.

I am currently an Adobe Community Professional and have been involved in the ColdFusion community for some time. I have been seen by my peers as an Adobe Fanboy, and, for the most part, I have been OK with that. I still like Adobe, I still support Adobe, and I actively use Adobe ColdFusion. But the part I need to get off my chest is that I am NOT against the Open Source CFML alternatives (specifically Railo and OpenBD). In fact, I believe that Railo and OpenBD, along with other open source projects like Mura CMS, ColdBox and ContentBox, FarCry, Slatwall, Razuna, and many others are vitally important to CFML's future.

Let's face it. ColdFusion and CFML do not have a great reputation. It's unfortunate that so many ignorant assholes spout off about ColdFusion because they once had a bad experience, or because they used it 10 years ago and assume that nothing has changed but them. But however you slice it, ColdFusion is looked down upon by much of the rest of the web development world. I believe that much of the disdain over Adobe ColdFusion is because it is a commercial, proprietary, closed-source system. I also believe that much of the reason our current community is becoming divided is for that same reason.


The importance of Mura (and Plugins)

What I've been thinking about

I've been thinking a lot lately about Blue River Interactive's Mura Content Managent System (hence forth referred to as Mura CMS or just Mura), probably because I have been working a lot with it lately. I am in the process of converting a large, mostly static, web site to Mura, and I have been amazed by its power, versatility and ease-of-use. I have been especially pleased with how easy it is for me to make plugins for it.

While thinking about Mura, I have realized something important. Mura CMS is an incredible products with the potential to change the way that ColdFusion and CFML are viewed. And this needs to be recognized. It also has the potential to become a very popular, open source product used outside of the ColdFusion/CFML community.


XSS mitigation in ColdFusion, Part 1: Understanding HTML Contexts - Security Series #8.5.1

A long, long time has passed since my first post on Cross-Site Scripting. Looking back on it now, I realize that I have learned a lot since then. I do not think that post cuts the mustard anymore and I will need to do some writing to make up for that.

In the meantime, the topic of XSS came up on a discussion board a few weeks before I started writing this, and again on Ray's blog today, and I wanted to take some time to explore it in more depth. One common misconception about XSS mitigation in ColdFusion is that the best way to handle it is to use HTMLEditFormat() to output any user generated data. I had this same misconception for a long time and have helped to spread it.

While it is true that HTMLEditFormat() can stop many attacks in many locations in your applications, it is not a catch all for XSS. HTMLEditFormat() only works in the HTML block content context of your applications. Your applications have several other contexts where, if you use dynamic code, you can open up XSS vulnerabilities that HTMLEditFormat() cannot stop.

In this post, we will discuss these contexts, what the are, and why they need to be treated differently.


The OWASP Top 10 for 2010 Release Candidate has been announced

I am pretty late in the game to blog about this, but I am going to do it anyway, because I can ;)

As many of you know, I am a very big fan of the Open Web Application Security Project (OWASP) and recently OWASP has announce the first release candidate of its Top 10 List for 2010.


Forget what you think you know about CFML - Twin Cities Language User Group

On Thursday evening (Nov 12, 2009 @ 5:30) I will be speaking to the Twin Cities Language User Group about CFML.

The Twin Cities Language User Group is, to me, a unique group. It is not focused on a particular language or family of languages, its concept seems to be to bridge the divide between languages and to expose developers to new ideas and methodologies. It seemed like a perfect place to pitch CFML and show other developers just how great CFML is.


Security Tip: New OWASP Blog and the OWASP Podcast

I've stated before how highly I think of the Open Web Application Security Project (OWASP) and I am now very glad to see that they have started a new blog. Hopefully the OWASP Blog will be a great resources for staying up-to-date on security related current events, and to learn more about the status of on-going OWASP projects.


The Sun Presenter Console Extension for Impress

I have recently given up trying to keep up with Microsoft Office. I have nothing against the product, I just don't want to afford it. Especially when there is an excellent free alternative, namely OpenOffice.

I've been using OpenOffice Impress (the OpenOffice alternative to PowerPoint) for a while now, and I really like it. It has done everything that I have needed it to, until last month's Twin Cities ColdFusion User Group meeting.


A Security Project for CFML

So I thought I would take a few minutes and blog about what I am working on. I don't expect anyone to care. Feel free to stop reading. I just wanted to write about something that does not require hours of research. I also wanted to just write SOMETHING, to get me back into it so that I do not become to lax in my blogging.


This is something that I had not really planned on talking about until it was closer to usable. But it is also something that I was hoping would be closer to usable by now.


OWASP & FLOSS Application Security Mini-Conference 2008 - Tomorrow Oct 21, 2008

Tomorrow, October 21st, 2008, is the OWASP & FLOSS Application Security Mini-Conference 2008.

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. - OWASP Website


Google has Open Sourced RatProxy Security Tool

Google has announced that they have open-sourced RatProxy, which, according to the Google Code site is:

"A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."


More Entries

BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner