> Many thanks for the response. In our case, we have portcullis and some > other filters built into the system, so my hope is that we are secure.
If one user is able to inject commands to run client-side executable code, and those commands get executed when another user views the content created by the first user, your site contains an XSS vulnerability. > Perhaps script protect is not adding a lot. Since we user a web editor in > a number of places in our system, my ideal scenario would probably be to > enable super user admins to use tags like <embed> to display flash on a > page but restrict it in other scenarios where there might be more risk > (e.g. on the front end of a web site). > How would you handle that kind of requirement? Would script protect be > part of it? If you're able to completely trust authenticated users not to do malicious things, you don't need to worry about XSS vulnerabilities, I guess. The problem with SCRIPTPROTECT is that it's fairly easy to bypass. I recommend you read this: http://www.12robots.com/index.cfm/2010/3/1/A-warning-about-ColdFusions-scriptProtect Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353120 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
