Thanks Shawn and Cameron!
You guys got me to start looking into this issue. I didn’t realize some of the possibilities that might have been unprotected. Fusionlink is my server ISP, so I will probably use Portcullis. But, here’s my follow-up question. It makes sense to me to have the XSS checks happen automatically, for every request. Right? So, I could put the function calls in OnRequest in application.cfc. But, then, for my admin pages, where I want to allow logged in users to submit forms with <meta> tags and javascript, how do I disable the XSS check. If the XSS check is in OnRequest, it already happened before I got to the admin cfm page. Do I have to remember to handle this separately for all my pages, and then just turn it off when I need to. This seems messy, so I’m hoping there’s a better way! Thanks for your ideas. Clarke From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of shawn gorrell Sent: Tuesday, January 19, 2010 6:26 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] ScriptProtect="none" Clark, IMO scriptprotect is a total and utter waste of time. Abandon it. If you're interested in something better, and more comprehensive, take a look at John's Portcullis component, or my cf_xssblock tag. Typically I use my tag in application (cfm or cfc), rather than on a per-page basis, but it will also work easily on a per-page basis. _____ From: Clarke Bishop <cbis...@resultantsys.com> To: discussion@acfug.org Sent: Tue, January 19, 2010 5:41:26 PM Subject: [ACFUG Discuss] ScriptProtect="none" I know it’s a good practice to use CF’s ScriptProtect feature. But, I have an admin page in a CMS, and I need to be able to turn off ScriptProtect for that page. Otherwise, CF inserts <InvalidTag> messages! Is there a way to turn off ScriptProtect for one page only? Thanks for any ideas! Clarke ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink <http://www.fusionlink.com> ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink <http://www.fusionlink.com> ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
