Yesterday take look on Closure with ColdFusion, now its time to discover more on this. 

Closure can be defined as inline without giving name. You can treat like variable and assigned it to variable scope, array or struct element or function return value. for ex.

Wow, ColdFusion now support closure. I am fan of closure and heavily using it on JavaScript specially for ajax call's callback function. Closure is function within function which close all variables of outer function when returned/created. May be not pure theoretically true definition but this is how can I can define in practical term that I have used. 

In ColdFusion 10 documentation very simple example given to understand concept of Closure.

ColdFusion 10 added couple of session related function and add settings related to session cookie. First of all I notice that use UUID for CFTOKEN is default now enable so if you are moving from older version to ColdFusion 10 where cftoken wasn't UUID and you were using datasource for client variables then make sure you update field size in database where you are storing client variables. SessionId generated from application name, cfid and cftoken.

Day 4 for my ColdFusion 10 review, since last three days concentrating on all security enhancement. In previous two posts I have covered functions added in ColdFusion10 to avoid XSS attack. Now its time for CSRF (cross site request forgery). As per Wikipedia this is 909th most dangerous software bug ever found.  And in normal project we always keep this door open and  do not take precaution to restrict it. ColdFusion 10 make it really easy to avoid CSRF attack by adding two functions CSRFGenerateToken and CSRFVerifyToken. First function will generate different token for each session (or each request) which we need to pass with form submit and in action page you need to call CSRFVerifyToken function to make sure request coming through same session and it is not an forgery request. I used to create hash key with combination of session variable and page name which pass with form and in action page comparing same combination with hash key passed in form data. 

Yesterday I have tried to look over three newly added security functions to avoid XSS attach on your website. Today look for remaining functions encodeForCSS, encodeForURL and canonicalize.

encodeForCSS:

As function name says it will encode your string to make safe render in CSS. Normally I do not use dynamic CSS but in certain case you may want to change background color of div based on user input. User input??? Yes and it dangerous too as we are opening again door for XSS attack for hacker. Have a look on sample below.

Today started celebrating ColdFusion month with series of 30 blog posts on ColdFusion 10's new feature and here first one. This is really not a new feature or enhancement but new administrator setting which may give 400 error (it's not 404) project already running in older version of ColdFusion. In administrator new setting available "Maximum number of POST request parameter" which is default set to 100 means you can post maximum 100 parameter to ColdFusion on form submit. Normally 100 parameters are sufficient for any webpage but in my case I have very complex search which numerous search parameters which exceed ColdFusion administrator limit and when try to submit page give 400 ColdFusion error at first glance confuse with 404 error (seems Adobe change default error template). Even though I have onError method in Application.cfc to catch any ColdFusion error but seems this stopped at server level before executing my Application.cfc. To make sure page exists I had directly paste URL in browser and seems work fine and it drive me crazy, why it showing error while submitting the page????

Hello Friends,

Recently I am working on one of the project, and inside it we want functionality to show a hint tooltip box (show information related to that field) when that input element get focus.

I use clueTip (a jQuery tooltip plugin) to show hint tooltip box.