Where the heck is InvalidTag coming from?

I’ve gotten this question many times so I thought I’d write up a quick FAQ. If you are displaying dynamic content on your ColdFusion site and see InvalidTag instead of the HTML you thought you would - it means one of two things. Either your ColdFusion Admin has Enable Global Script Protection turned on or your Application has scriptProtect set to true. This would be set in either the CFAPPLICATION tag or the This scope of your Application.cfc file.

This is a feature that helps prevent cross-site scripting attacks. Personally I don’t use this feature as I always htmlEditFormat user input before displaying it. For more information about this feature, see this page from the LiveDocs:

Settings Page

So - raise your hand if you’ve seen this and had no idea what it was!

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Comments