I'm not sure Chris, It might be worth noting that scriptProtect does have a few holes in I think so don't rely on it too much, put your own validation in place as well.
Rob -----Original Message----- From: Chris Norloff [mailto:[EMAIL PROTECTED] Sent: 07 June 2007 15:33 To: CF-Talk Subject: XSS patch & Global Script Protect This fix is needed if Global Script Protection is not enabled. I wonder if it's a vulnerability if Global Script Protection is ON and a specific application disables the script protection using the scriptProtect parameter of the cfapplication tag. Anybody know? Patch for XSS when Global Script Protection is not enabled http://www.adobe.com/support/security/bulletins/apsb07-03.html cfapplication info: http://download.macromedia.com/pub/documentation/en/coldfusion/mx7/cfmx7_cfm l_ref.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion 8 beta â Build next generation applications today. Free beta download on Labs http://www.adobe.com/cfusion/entitlement/index.cfm?e=labs_adobecf8_beta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280378 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4