Another to this problem is to use a non-HTML markup languages like BBML or something. Then there's no posibility for evil, but you do need a BBML parser (though I know at least one CFML implementation exists).
Another route would be to explicitly allow stuff you DO want, rather than denying everything you DON't want. I.e. take the string, add non-HTML markers for the tags you want to keep, replace all the other tags, and then re-HTML-ize the tags to keep: <cfset string = REreplace(string, "<(/)b>", "[\1b]", "all") /> <cfset string = REreplace(string, "</?[a-zA-Z][^>]*>", "", "all") /> <cfset string = REreplace(string, "[(/)b]", "<\1b>", "all") /> On 8/5/05, Dave Watts <[EMAIL PROTECTED]> wrote: > I'm going through old emails I hadn't read, sorry it's taken so long to > respond. > > > On Thu, 3 Mar 2005 16:07:05 -0500, Mike Chabot > > <[EMAIL PROTECTED]> wrote: > > > I am saying that if the user tries to enter <b> tags to make text > > > bold, he is going to be disappointed because the HtmlEditFormat tag > > > basically wipes out all HTML. > > > > > > If I wanted to allow limited HTML, I would have to scan the > > > string for all potentially dangerous tags, which I belive would > > > be less efficient than applying the HtmlEditFormat function. > > > > If CFMX 7 is an option for you, check out the new scriptProtect= > > attribute of <cfapplication> which makes URL and form data safe from > > cross-site scripting attacks but still allows HTML input. > > It's worth pointing out that SCRIPTPROTECT, by default, finds only a few > potential XSS exploit string patterns. You can customize these patterns by > editing the appropriate XML configuration file, but I think it's a losing > battle, since there can be so much variety in XSS exploits. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com/ Got Gmail? I have 50 invites. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:213885 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
