I have a site where the guestbook is a constant problem for me. I've tried persuading the radio station management that they really dont want a guestbook but they see it as an important way to interact with the listeners.
We'll get a fan of a show saying how the host is wonderful - a dream - 'a real spunk' then a whole tribe of others saying how ugly and totally undesirable the host is. Never any middle ground. So I have to keep it going. It's a constant source of problems, from people at other stations or fans of other stations trying to embarass us by putting links to porn or telling out-and-out lies there. We get lots of spammers trying to use our guestbook form to send their emails or post links to their sites. Here are some of the things we do (and it's a changing feast - i'm always tinkering with teh process page to tighten it up a little without inhibiting the real listeners posting (which is why we havent gone to useing Captcha yet). [A] no guestbook post goes straight to the site. It goes to an editor first [B] any post containing the character < gets dumped. (early attempt to filter out html) [C] any post containing some reserved words gets dumped. [D] Just in case <b> didnt catch it, all posts are HTMLEditFormated [E] All posts go through <cfqueryparam on their way into the database [F] Any posts not coming from the right page (ie having cgi.http_referer with the correct value) get dumped. [G] Ip address of every post are stored, and posts coming from some ips and some domains are dumped. The poster doesn't always get notified that the post has been dumped - I dont want to give too many clues to the abusers about what checks are being made. There arent any foolproof safeguards but we keep on working on it while trying to resist any measure that will make it more difficult for legitimate listeners to post. It keeps managing that site interesting though! Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month On 8/8/06, Dave Watts <[EMAIL PROTECTED]> wrote: > > Do you have any scripts that you can share? > > Well, no, unfortunately. > > The reason for this is that there are various approaches that you can take > to solve this problem, and these approaches are very dependent on what > you're trying to accomplish - it's not a matter of just having a script that > you can plug in. One solution, as Michael Dawson mentioned, is to use > HTMLEditFormat to remove all HTML from input. This is pretty simple, and > prevents many XSS attacks (though not necessarily all). But what if you want > to allow people to input HTML in the first place? This is somewhat common in > CMS environments, for example. This is why "languages" like BBML exist - to > allow limited HTML authoring without allowing the author to submit HTML to > the server. Even then, you have to watch out for things like JavaScript > pseudo-URLs, which bypass any tag-based approach to removing XSS exploits. > > In addition, you may choose to differentiate between "safe" and "unsafe" > strings, an approach recommended by Joel Spotsky in passing here: > > http://www.joelonsoftware.com/articles/Wrong.html > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249118 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
