I'm on another list and heard the term XSS for the first time (honestly, I
don't know where I've been for the past four years).
http://en.wikipedia.org/wiki/Cross_site_scripting
I've been using StripHTML() for a very long time in my message board SQL
inserts, and only an hour ago learned of HTMLEditFormat() for the output.
I've also recently put in code so that *NO* _action.cfm page on my site will
allow any access unless the referer is the same domain and of the paired
edit/add page (with a few exceptions), ie; page_edit.cfm and
page_edit_action.cfm (gotta love lists... my favorite thing). I did this after
looking in my logs and saw that there is a server in Amsterdam that has been
periodically trying to create users on several of my sites since September,
about three times a day, once per week. (The users they try to create, btw, are
set up to advertise sex toy shops in Russia and Amsterdam! :-) Everything is
related.)
So my question is... what do other people on this list do to mitigate XSS
attacks? If this is becomming a real problem we may want to share as many
techniques as we can to ensure that CF sites have a reputation as being as
hack-proof as possible. Another selling point.
Mik
--------
Michael Muller
Admin, MontagueMA.net Website
work (413) 863-0030
cell (413) 320-5336
skype: michaelBmuller
http://www.MontagueMA.net
Eschew Obfuscation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Create Web Applications With ColdFusion MX7 & Flex 2.
Build powerful, scalable RIAs. Free Trial
http://www.adobe.com/products/coldfusion/flex2/
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271729
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
