Displaying or using data now in one way doesn't necessarily mean that's how you or someone else may need or want to display or use it later. It has been my experience that storing data just as it was entered is the better solution all around. Once you strip information out that you deem unsafe for your current needs, you can't get it back later if/when you or someone else decides otherwise.
..:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -----Original Message----- From: Andrew Grosset [mailto:[EMAIL PROTECTED] Sent: Friday, April 18, 2008 11:12 PM To: CF-Talk Subject: Re: Prevent Cross Site scripting Sorry, you haven't convinced me, I appreciate what you're saying but having to cache the static pages after you've cleansed them doesn't seem right either.... Of course if you're relying on javascript to display as in ajax then you have a point. Andrew. >How do you know it's junk? Let's say you have a last name of "O'reilly" >entered into a form field. That string will break the following of >code: > ><script language="javascript"> > alert('#last_name#'); ></script> > >You would not want to remove the tick from the name in the database, as >now you have lost part of your data. Instead you sanitize it at the >time you output it with jsstringformat. > >Now, some of you are probably thinking, "Why don't you just escape it >when you put it into the database?" My answer to that is, "How do you >know in what context that data might need to be displayed?" If you >escape the data for a JavaScript string at the time you store it, then >it won't look right when you want to output it in HTML. OK, so you >might think you should escape it for HTML at the time you store it-- now >you write a flex front-end for your app and wish to display it in Flash. > > >There are reasons other than malicious attacks to clean your data, and >it is my option that the interface responsible for displaying the data >should also be responsible for cleaning it appropriately. If that is >done, "O'Reilly" won't be an issue and neither will XSS. > >If you are concerned about the performance implications of formatting >the data over and over again you could cache static pages and serve them >up. If your data is ever-changing, I consider this overhead a small >price to pay that comes with the business of storing and regurgitating >data. > >~Brad > >Why store junk? if you're going to store data shouldn't it be >escaped/purified before you store it? then you're escaping it once as >opposed to escaping it 1000's of times every time you display/output it? > >>> So what do you recommend instead? The built in xxs protection >>> doesn't catch everything. >> >>I recommend that you consider accepting and storing "unsafe" strings, >and ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303798 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
