RE: Prevent Cross-Site Scripting in ColdFusion 5

Tue, 02 Mar 2010 14:57:25 -0800 

It's easy enough to write your own function for this sort of thing. Here's
the basis of how I might approach it:

<cfset REQUEST.qs = 'var1=andy&var2=Jaime&var3=Noelle'>
<cfset REQUEST.qsArr = ArrayNew(1)>
<cfloop index="REQUEST.outer" list="#REQUEST.qs#" delimiters="&">
        <cfset REQUEST.key = ListFirst(REQUEST.outer,'=')>
        <cfset REQUEST.value = ListLast(REQUEST.outer,'=')>
</cfloop>

At that point you could do anything you wanted to with REQUEST.key or
REQUEST.value.


andy

-----Original Message-----
From: Donnie Carvajal [mailto:[email protected]] 
Sent: Tuesday, March 02, 2010 4:34 PM
To: cf-talk
Subject: Re: Prevent Cross-Site Scripting in ColdFusion 5


I have checked CFLib.org.  They have a couple of UDF's for handling URL
variables, but nothing that appeared like it would parse through
CGI.query_string or use some sort of regular expression to encode or remove
unwanted vars without losing the variables by encoding the ampersand and
equal signs. 

> Have you checked CFLib.org yet? Great collection of UDF's. Maybe 
> something there that can help you.
> 
> Steve "Cutter" Blades
> Adobe Community Professional - ColdFusion Adobe Certified Professional 
> Advanced Macromedia ColdFusion MX 7 Developer
> 
> Co-Author of "Learning Ext JS"
> http://www.packtpub.com/learning-ext-js/book
> _____________________________
> http://blog.cutterscrossing.com
> 
> 
> 
> Donnie Carvajal wrote:
> > I have an app that is written in ColdFusion 5 and there are several
> places in the app where CGI.query_string is used to set the query 
> string on the href of an anchor tag.  I need a clean way to scrub the 
> CGI.query_string variable.  I can't use URLEncodedFormat because all 
> of the ampersands and equal signs will be encoded and then there won't 
> be any query string variables.  I can't use the application.
> scriptProtect variable because the app is in ColdFusion 5 and it can't 
> be upgrade to any version of ColdFusion MX without some major work to 
> fix errors.  Does anyone know of a UDF, custom tag, CFX, etc. that I 
> can use.
> >
> > Thanks,
> >
> > Donnie
> >
> > 




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331274
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Reply via email to