Hi Dave, Many thanks for the response. In our case, we have portcullis and some other filters built into the system, so my hope is that we are secure. Perhaps script protect is not adding a lot. Since we user a web editor in a number of places in our system, my ideal scenario would probably be to enable super user admins to use tags like <embed> to display flash on a page but restrict it in other scenarios where there might be more risk (e.g. on the front end of a web site). How would you handle that kind of requirement? Would script protect be part of it? Nick
---------------------------------------- Return-Path: <[email protected]> Received: from mail.houseoffusion.com [64.118.74.225] by mail67.safesecureweb.com with SMTP; Fri, 9 Nov 2012 12:57:32 -0500 To: cf-talk <[email protected]> Message-ID: <CACi=xsygd-o9a6bbq2mthouue9yg5a5odjm+z_ptuxo-p8d...@mail.gmail.com> Subject: Re: Displaying flash on a site where script protect is enabled? References: <57df5e8$4a2f66a1$2589ee8$@com> Date: Fri, 9 Nov 2012 12:50:36 -0500 Precedence: bulk Reply-To: [email protected] From: Dave Watts <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Rcpt-To: <[email protected]> X-SmarterMail-Spam: SpamAssassin 0 [raw: 0], SPF_None, DK_None X-SmarterMail-TotalSpamWeight: 0 > I know this has been discussed before but I'm not finding a clear answer > online to the question of whether it is possible to use flash on a site > where the script protect / invalidtag feature has been turned on. Yes, you certainly can use Flash with SCRIPTPROTECT. The two are not really related. All SCRIPTPROTECT does is examine data from the browser to see if it contains client-side executable functionality. > We would like to keep this security feature turned on generally, but if > that means that it is not possible for clients to put flash files on their > pages in our CMS, that is a pretty steep trade off. Are there ways around > this? Not really. If you want people to be able to put client-side executable content in HTML pages, that defeats the purpose of using SCRIPTPROTECT. You could write a CMS widget to accept parameters from the client and have that build a snippet of HTML that uses those parameters with Flash Player, though. > Also, our experience is that some older pages that have flash working - > presumably from before the script protect feature was turned on - are still > working fine (despite having script protect on). So, that is a bit of a > surprise. That should not be a surprise. Again, all SCRIPTPROTECT does is limit the ability of users to upload data that could later execute in another user's browser. You might want to read a bit about XSS vulnerabilities to see what it's supposed to protect you against. All that said, SCRIPTPROTECT only provides limited protection against those vulnerabilities. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353113 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
