Sorry, I only read as far as "disabling Javascript" and was commenting on that. The fact remains that anything done *clientside* is not reliable. It seems we're not disagreeing there,
Certainly having a WAF is borderline essential on anything other than a trivial site. I'm not entirely sure doing @ CF level is the correct place to do it, but that's an aside. Sorry for confusion. -- Adam On 1 March 2014 07:59, Russ Michaels <[email protected]> wrote: > > I disagree 100% > scanning All form fields globally for any dodgy content is the complete > opposite of narrow sighted, it is a much more efficient way to make sure > nothing gets through rather than instead trying to do these checks in > multiple different places and potentially missing one. > > > > On Fri, Feb 28, 2014 at 6:56 PM, Adam Cameron <[email protected]> wrote: > > > > > That's a bit narrow-sighted. > > > > Hackers don't disable JS to bypass clientside pre-validation, they just > > post the form directly. Often the server code is not coded in such a way > to > > be aware how a post is made (via a legit form, or just by a POST > request). > > > > *Always* consider client-side pre-validation a "nice to have" and really > > more a UX ("hey, you malformed that phone number, wanna try again?" sort > of > > thing) consideration than actual validation. And *always *do validation > on > > the server. > > > > -- > > Adam > > > > > > > > > > On 1 March 2014 07:44, Russ Michaels <[email protected]> wrote: > > > > > > > > although these days if a user has javascript disabled they wont be able > > to > > > use the cms at all as it is a requirement for the editor and all the > > AJAXy > > > stuff. > > > but what you can do, is apply filtering to all form fields at a global > > > level, so any form submission any page will have anything dodgy > removed. > > > I believe FuseGuard will do this for you. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357803 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
