> > For XSS then you really should be looking at using HTMLEditFormat() > and > > HTMLCodeFormat() to make any user submitted content safe. > > Damn. What does that do to WYSIWYG stuff?!?! And CF8 has this shiny > DHTML editor... >
I guess I should qualify that and say, use HTMLEditFormat() and HTMLCodeFormat() on any *untrusted* user submitted content. If you are using an admin area for your users to add content using a WYSIWYG then the use of these techniques is out for the WYSIWYG content. However, if you are allowing anonymous users to submit content through the front end, HTMLEditFormat() and HTMLCodeFormat() will kill all XSS attempts dead! If you go back far enough in the archives (Aug 2004), I came up with a SQL stripper (at the time I thought it was a great idea... How naive I was :) ) that Jochem took to pieces in less than one brain cycle... He also posted one of the links that I re-posted in this thread (the one about checking for bad stuff being a mistake) and since then, I've not bothered with even attempting to write my own security methods for SQL injection and XSS and instead used the techniques discussed wholesale. On the whole, it has been so much more straightforward to do this rather than build and support something that could be full of holes simply because I've not thought of something. The techniques outlined also follow one of the best principles that all software developers should adhere to.... The KISS principle - Anything else is a contrivance! Paul ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285655 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
