Pete, Much appreciated. I guess where I'm being a bit of a dunce is that in your example, if a malicious url.query variable was passed in by a hacker, wouldn't the display only be available on that single request? And if I come to the same search form 2 minutes later and do a normal search, won't it be clean? I guess that, assuming we have no sql injection to the db, I don't see how that attack stays persistent (as it would possibly for a comment or forum post). Sorry to be over-simple on this.
Re: the content security policy, that looks very interesting. Watching a presentation on it now. One quick question. If we are using that on a site and then an admin comes in and uses an iframe widget from youtube to display a video on a page in the site, does that get filtered by CSP (and require an exception for youtube)? I gather that would need to be excepted in the frame-src header, right? Nick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357813 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
