Yeah, you're right. They were denying stuff like 'JavaScript', but allowing anything that wasn't on their deny list. The problem is they want to allow as much stuff as possible to make it cool for the users, while not allowing too much. It should be possible to only allow a small set of characters/words/tags/etc., and still be secure (as long as there aren't any IE users around! ;) ).
> -----Original Message----- > From: Joe Rinehart [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 18, 2005 11:44 AM > To: CF-Talk > Subject: Re: Cross - Site Scripting > > Right - in that case, I'd htmlEditFormat() then reverse in the things > I'd want to allow. The old firewall routine of default deny vs. > default allow. > > -Joe [INFO] -- Access Manager: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. A2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:221369 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
