Check out OWASP...here is a CF implementation:
http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks
or the tinyurl link:
http://tinyurl.com/yhl34tn
I'm building a form cleaner utility method that might help thwart some
XSS, clean my fields up,
Why not just use CFQUERYPARAM bound parameters in your SQL?
In my case, I'm scrubbing the data. cfqueryparam doesn't do that.
~|
Order the Adobe Coldfusion Anthology now!
Why not just use CFQUERYPARAM bound parameters in your SQL?
In my case, I'm scrubbing the data. cfqueryparam doesn't do that.
Right. That was directed to Andrew. CFQUERYPARAM doesn't provide any
protection for XSS vulnerabilitis.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
I'm building a form cleaner utility method that might help thwart some XSS,
clean my fields up, etc.
One nice thing about CF is that you can implement existing Java
solutions. You can, for example, use Java servlet filters, which will
process incoming requests before CF does. Andrew Grosset
Here's something I've written. It scans incoming form variables for SQL
Injection code. It has a couple shortcomings, but it's a start, anyway.
One shortcoming is that if you legitimately have something like John has run
to the store; selecting the pigs was most difficult, that will trigger
Here's something I've written. It scans incoming form variables for SQL
Injection code. It has a couple shortcomings, but it's a start, anyway.
One shortcoming is that if you legitimately have something like John has run
to the store; selecting the pigs was most difficult, that will
I originally wrote that code for a client who had a lot of non-parameterized
SQL in a legacy app and didn't want to pay me to rewrite it all.
- Andrew.
On 2010-07-24, at 12:35, Dave Watts wrote:
Why not just use CFQUERYPARAM bound parameters in your SQL?
Dave Watts, CTO, Fig Leaf Software
7 matches
Mail list logo
