Accessing FORM and URL variables via $.event() from an admin-side plugin page in Mura

I have been learning a lot about Mura the last couple of weeks while building my first Mura plugin, but I have also had a lot of frustration because some things work differently when you are developing for a front-end page vs. a back-end (admin) page.

In the Mura Developer Documentation it states:

The Event scope simply wraps the current request's event object which contains merged data from both the CFML FORM and URL scopes.

If then goes on to say that the following code should return values from those scopes.

<cfset $.event('property') />

So if I have a URL variable like ?test=123, then this code should return the value '123':

<cfset $.event('test') />

This seems to work fine on pages I create for Mura display objects for the front end of the website, but for pages in the admin area of the site, this method only produces [empty string].


cf.Objective() 2011 Keynote - Something New

This year at cf.Objective() we'll be trying something new with the Keynote address. Specifically, instead of being addressed by Adobe, you will be addressed by members of the community. I am proud to be one of those members, and I will be joined by an amazing group of people.

We'll be talking about several topics, and you are not going to want to miss it.

Oh and we need speakers for the Lightning Talks!!

For those that attended cf.O() last year, you may remember that the Pecha Kucha was a HUGE hit. it was almost as well attended as the keynote address and it was a lot of fun. We are going to do it again this year, but this year we are calling it "Lightning Talks".

These presentations are fun, short, and can be on any topic that you want. If you are interested in presenting a Lightning Talk, go to and submit a topic.

Anyone can present a Lightning Talk. You do NOT need to be a cf.Objective() speaker already. This is a great opportunity to get up and try your hand at speaking to a group and having some fun.

And again, it can be on ANY subject. Lightning / PK talks that I have seen in the past include:

  • The Evolution of the Air Cooled Volkswagen - Jim Leether - NCDevCon 2010
  • People-centric software design - Ben Nadel - cf.Objective() 2010
  • Stress Management - Doug hughes - NCDevCon 2010
  • Life can be hard, or life can be easy - Jason Long - NCDevCon 2010
  • 5 Bucks Is Change - Janet Kennedy - NCDevCon 2010

I'm looking forward to seeing everyone at cf.Objective() 2011

XSS mitigation in ColdFusion, Part 1: Understanding HTML Contexts - Security Series #8.5.1

A long, long time has passed since my first post on Cross-Site Scripting. Looking back on it now, I realize that I have learned a lot since then. I do not think that post cuts the mustard anymore and I will need to do some writing to make up for that.

In the meantime, the topic of XSS came up on a discussion board a few weeks before I started writing this, and again on Ray's blog today, and I wanted to take some time to explore it in more depth. One common misconception about XSS mitigation in ColdFusion is that the best way to handle it is to use HTMLEditFormat() to output any user generated data. I had this same misconception for a long time and have helped to spread it.

While it is true that HTMLEditFormat() can stop many attacks in many locations in your applications, it is not a catch all for XSS. HTMLEditFormat() only works in the HTML block content context of your applications. Your applications have several other contexts where, if you use dynamic code, you can open up XSS vulnerabilities that HTMLEditFormat() cannot stop.

In this post, we will discuss these contexts, what the are, and why they need to be treated differently.


Whose responsibility is data security?

This is an important question and one that you need to ask yourself.

Last week this article was released about a faculty researcher at University of North Carolina at Chapel Hill.

The article describes how the University recently found out that a machine that stored 180,000 social security numbers (used for research) was compromised back in 2007. The University is now hanging out the researcher to dry and not claiming any fault of their own. There is no report yet on what is happening with the programmer/system admin that she hired to maintain the system.


Call for speakers - cf.Objective()

Hey, in case you didn't notice, the call for speakers for the super-awesome-fantastic-amazing cf.Objective() conference is now open.

you can submit your proposals here:

Even if you don't submit a proposal, you should definitely come to cf.Objective(). It is best ColdFusion conference there is. And remember that cf.Objective isn't JUST for advanced/enterprise developers. cf.Objective() is also about becoming an advanced/enterprise developer. So even if you feel like cf.Objective() might be over your head, if you're an experienced developer who wants to take the next step in your learning, cf.Objective() is the place for you!

So get on it!

My Presentation Files from the MN Government IT Symposium

Last week I had a great time presenting a couple of topics at the MN Government IT Symposium. Here are the slide decks from my presentations:


Getting your BlackBerry PlayBook development environment set up - Part Three

In this post, we're going to look at setting up FlashBuilder 4 to talk to our BlackBerry PlayBook virtual device. We'll also create our first PlayBook App.

Note, Parts one & two of this series are prerequisites to this part.

Something New

My last two posts were SO LONG, and took a while to load. All of the screen captures and images really annoyed me. So I decided to do this post using Adobe Captivate.


Getting your BlackBerry PlayBook development environment set up - Part Two

I wanted to release this a couple days ago, but I have been battling connectivity problems at home.

In my last BlackBerry PlayBook post we went through what resources we needed and how to get Flash Builder 4 installed and integrated with the BlackBerry PlayBook SDK. Next we'll look at installing the BlackBerry PlayBook simulator.

The simulator is actually a bootable ISO image that is intended to be run inside of a VMWare virtual machine. I am sure there are resources on how to get VMWare Player (Windows) or VMWare Fusion (Mac) installed on your system, so I will not be covering it in this post. Instead, I will assume you already have it installed.


What can I do on different devices? Adobe AIR

So in an effort to figure out what I can do with different devices, I came across this VERY useful document on Adobe's site. It essentially outlines the features of AIR that are not available across platforms and tells us, of those features, which are available where.

For example, I suspected, but did not know that the Encrypted Local Store would not be available on mobile devices (yet?).

If you plan to develop for multiple device profiles (Desktop, Mobile, TV) then you need to take a look at this:

The Winner of the ColdFusion Builder contest and the charity receiving our donation

Last week I ran a contest for Veterans' Day to try to honor those men and women that defend the U.S. and keep it strong.


More Entries

BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner