> Do you have any scripts that you can share? Well, no, unfortunately.
The reason for this is that there are various approaches that you can take to solve this problem, and these approaches are very dependent on what you're trying to accomplish - it's not a matter of just having a script that you can plug in. One solution, as Michael Dawson mentioned, is to use HTMLEditFormat to remove all HTML from input. This is pretty simple, and prevents many XSS attacks (though not necessarily all). But what if you want to allow people to input HTML in the first place? This is somewhat common in CMS environments, for example. This is why "languages" like BBML exist - to allow limited HTML authoring without allowing the author to submit HTML to the server. Even then, you have to watch out for things like JavaScript pseudo-URLs, which bypass any tag-based approach to removing XSS exploits. In addition, you may choose to differentiate between "safe" and "unsafe" strings, an approach recommended by Joel Spotsky in passing here: http://www.joelonsoftware.com/articles/Wrong.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249063 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
