Right now we are using a combination of portcullis plus home grown filters within the application as well within the web server (which we control).
We would definitely consider looking at Fuseguard as well (but haven't yet). N -----Original Message----- From: Adam Cameron [mailto:[email protected]] Sent: Friday, February 28, 2014 11:10 AM To: cf-talk Subject: Re: Best practices for xss security in CMS? Sorry, I only read as far as "disabling Javascript" and was commenting on that. The fact remains that anything done *clientside* is not reliable. It seems we're not disagreeing there, Certainly having a WAF is borderline essential on anything other than a trivial site. I'm not entirely sure doing @ CF level is the correct place to do it, but that's an aside. Sorry for confusion. -- Adam On 1 March 2014 07:59, Russ Michaels <[email protected]> wrote: > > I disagree 100% > scanning All form fields globally for any dodgy content is the complete > opposite of narrow sighted, it is a much more efficient way to make sure > nothing gets through rather than instead trying to do these checks in > multiple different places and potentially missing one. > > > > On Fri, Feb 28, 2014 at 6:56 PM, Adam Cameron <[email protected]> wrote: > > > > > That's a bit narrow-sighted. > > > > Hackers don't disable JS to bypass clientside pre-validation, they just > > post the form directly. Often the server code is not coded in such a way > to > > be aware how a post is made (via a legit form, or just by a POST > request). > > > > *Always* consider client-side pre-validation a "nice to have" and really > > more a UX ("hey, you malformed that phone number, wanna try again?" sort > of > > thing) consideration than actual validation. And *always *do validation > on > > the server. > > > > -- > > Adam > > > > > > > > > > On 1 March 2014 07:44, Russ Michaels <[email protected]> wrote: > > > > > > > > although these days if a user has javascript disabled they wont be able > > to > > > use the cms at all as it is a requirement for the editor and all the > > AJAXy > > > stuff. > > > but what you can do, is apply filtering to all form fields at a global > > > level, so any form submission any page will have anything dodgy > removed. > > > I believe FuseGuard will do this for you. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357807 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
