If you weren't paranoid about XSS before reading this article you might be after! Besides the obvious dangers of unrestricted form input there is also inline scripting where malicious code is used in the url.
One could pass all urls (#cgi.script_name##cgi.query_string#) through a tag like CF_codecleaner (available at Macromedia.com). However all we need to establish is whether there are "naughty bits" in the url so a quick
CompareNoCase(attributes.input,cleaned_input)
(to compare original url+query string with the cleansed url+querystring)
is all one needs. I roughed up a quick mod to cf_codecleaner to do this and it takes 15 milliseconds to check the url. If the url is "unacceptable" you can then email yourself the details and cflocation to google etc!
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
