What I tend to use is Ray's StipHTML
(http://www.cflib.org/udf.cfm?ID=12) then on the form submit pages use
something like..
<CFLOOP COLLECTION="#FORM#" ITEM="itmField">
<CFSET "FORM.#itmField#" = StripHTML(FORM[itmField])> </CFLOOP>
And added a Trim() to the return of that function.
However there is one caveat to doing this... If you are uploading a file
via a form submittion then this field must be excluded from the
Stripping else IIS deletes the file and then CFFile will fail saying the
field does not contain a file.
HTH
-----Original Message-----
From: Rafael (Alan Bleiweiss) [mailto:[EMAIL PROTECTED]]
Sent: Sunday, September 22, 2002 17:07
To: CF-Talk
Subject: Preventing XSS
I'm working to lock down our web solutions across all client sites, and
it's been pretty intense implementing individual form-field level code
to
filter out metacharacters <(# etc... Is there a CF tag out there that
allows this conversion to be automatically applied to an entire form's
fields regardless of how many fields, what the field names are, or even
if
some fields are null?
______________________________________________________________________
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
