Ah.. thanks Dave - I misunderstood his question. I thought he was talking about a UDF for scrubbing form inputs.
-----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Friday, June 03, 2005 9:34 PM To: CF-Talk Subject: RE: using scriptProtect > anyone know how good this is working? > I would assume using queryparam would still be in order but > I thought this was for that but not quite sure. No, these do different things. CFQUERYPARAM prevents you from sending strings to the database as code that the database will execute. The new SCRIPTPROTECT attribute is intended to filter inputs for common words used in cross-site scripting attacks, which don't execute within the database at all. Instead, XSS attacks typically execute within a browser - you send some JavaScript when you submit a form, I later browse that record within the application and my browser receives your JavaScript and executes it. As for its usefulness, well, it's pretty limited. All it does is filters against a few common words, which doesn't protect you against someone just a bit more clever than that - there are all sorts of ways to write XSS exploits, and this just catches the simplest and best-known. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:208587 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
