If you're using MX7 they have a setting called scriptProtect that can be set in both app.cfm an app.cfc to protect an individual scope or "ALL". That should do the job to a certain extent.
Rob -----Original Message----- From: Mik Muller [mailto:[EMAIL PROTECTED] Sent: 06 March 2007 16:44 To: CF-Talk Subject: XSS - Cross Site Scripting I'm on another list and heard the term XSS for the first time (honestly, I don't know where I've been for the past four years). http://en.wikipedia.org/wiki/Cross_site_scripting I've been using StripHTML() for a very long time in my message board SQL inserts, and only an hour ago learned of HTMLEditFormat() for the output. I've also recently put in code so that *NO* _action.cfm page on my site will allow any access unless the referer is the same domain and of the paired edit/add page (with a few exceptions), ie; page_edit.cfm and page_edit_action.cfm (gotta love lists... my favorite thing). I did this after looking in my logs and saw that there is a server in Amsterdam that has been periodically trying to create users on several of my sites since September, about three times a day, once per week. (The users they try to create, btw, are set up to advertise sex toy shops in Russia and Amsterdam! :-) Everything is related.) So my question is... what do other people on this list do to mitigate XSS attacks? If this is becomming a real problem we may want to share as many techniques as we can to ensure that CF sites have a reputation as being as hack-proof as possible. Another selling point. Mik -------- Michael Muller Admin, MontagueMA.net Website work (413) 863-0030 cell (413) 320-5336 skype: michaelBmuller http://www.MontagueMA.net Eschew Obfuscation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271733 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
