ScriptProtect error replacing insecure tag in scope CGI ??
Hi cftalk: We are running CF8. I am seeing a strange application error ScriptProtect error replacing insecure tag in scope CGI. The error occurred on line -1.. Strangely, there are very few google references to this error, and absolutely no explanations / solutions that I can find. We use ScriptProtect = ALL, and most of the time URL/FORM substitution works fine. It converts script to INVALIDTAG as expected, etc. However, we get this ScriptProtect error if we pass in the URL: http://www.SERVER.com/search.cfm?querystring=javascript:alert%28412898284482%29 Clearly this has nothing to do with the CGI scope, so I'm a little confused at why an error is being thrown. Our neo-security.xml file contains this bit, which deals with javascript: var name=javascript: stringjava-script:/string /var Thanks for any help! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334810 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ScriptProtect error replacing insecure tag in scope CGI ??
However, we get this ScriptProtect error if we pass in the URL: http://www.SERVER.com/search.cfm?querystring=javascript:alert%28412898284482%29 Clearly this has nothing to do with the CGI scope, so I'm a little confused at why an error is being thrown. It does, in fact, have something to do with the CGI scope. All the data sent by the browser as part of the request header, including the query string, are in the CGI scope. And allowing a JavaScript command to be passed in the query string is probably not such a good idea anyway. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334817 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
