This post is more than 2 years old.
A user asks:
Have a question regarding your Application.cfc PDF. I do not understand (I'm a newbie) why you have this.scriptProtect set to false instead of true. Wouldn't it be better to protect it? This is my understanding from the CFMX7 documentation. Thanks.
To be honest, I didn't think about making the PDF have "best practices" per se - I just wanted a nice 'skeleton' Application.cfc PDF I could use for my own applications, and share with others.
That being said - what should you use for the setting? Unfortunately I have two answers for this. My readers will probably chime in as well (hopefully).
The scriptProtect feature is a very nice addition to CFMX7, although it is not perfect. (See my last post on it and pay particular attention to Pete's comment.) Of course, nothing is perfect. So normally I'd would say, always turn it on.
However - when you use this feature, you can't disable it. Sometimes you may want to allow potentially dangerous HTML in form entries. For example, on this blog, I have the right to use whatever HTML I want when creating entries. I wouldn't want scriptProtect to stop me. Since the setting is application-wide, I can't just turn it off for me when I'm logged in. That alone is enough reason for me not to use it here. (Although BlogCFC is staying backwards-compat with CFMX 6.1 and BlueDragon 6.2.) If that isn't a concern for you, then I'd say definitely turn the feature on.