An old tried and true defense component is cfqueryparam. Search for "xss" and "cross-site scripting" and you should find a wealth of information going back years on the subject.
The CF7 admin-level defense is, I have to say, not something I have any comfort level with. So far its gotten itself shut off for being too draconian. CMS users needing to input javascript into their web pages were denied and that was the end of that. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade & integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271782 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4