>An old tried and true defense component is cfqueryparam. For XSS? How does that do anything? It will prevent SQL injection, but that's a totally different attack.
>The CF7 admin-level defense is, I have to say, not something I have >any comfort level with. So far its gotten itself shut off for being >too draconian. CMS users needing to input javascript into their web >pages were denied and that was the end of that. There are easy ways around that. First, you can set the script-protect in your application to not include form variables. That will at least protect you against URL, cookie and CGI-based XSS to some extent. But a better approach would be to have them input the javascript in the forms using a different format for the javascript tag that you then search-and-replace on in your action form. For instance use a [script] instead. Assuming these are pages that only admin users have, that will allow them to input what they need without opening the public area of the site up to XSS attacks. --- Mary Jo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271788 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4