I'm not sure if you're directing that question at Dave or me, so I will clarify my recommendation just in case.
============================== Any time you embed text which a user/third party enters or has control over into another media, ensure that the potentially-unsafe text has any necessary meta-characters escaped. ============================== That means if you want to output a name from the database into a JavaScript variable, you should run it through jsstringformat to remove any single ticks etc. var users_name = '#jsstringformat(my_query.users_name)#'; If you are building an XML document out of user-entered form fields, use xmlformat. <root><employee>#xmlformat(form.name)#</employee></root> If you are outputting a message in an HTML page, use htmleditformat. <table> <tr> <td> #htmleditformat(qry_message.message_text)# </td> </tr> </table> Any time you are evaluating a string as code like as in a JSON string returned from an external web service, use a JSON parser instead of just throwing it into an eval() function. I know those are all generic examples, but I don't think there is necessarily a "silver bullet" snippet of code you can paste at the top of your page that will catch everything. In theory, if ALL data were properly escaped/sanitized according to the environment it was being embedded in, XSS attacks would not exist. In my opinion, _most_ XSS attacks happen because programmers get lazy-- a sin I've certainly been guilty of myself. ~Brad -----Original Message----- From: Ian Rutherford [mailto:[EMAIL PROTECTED] Sent: Friday, April 18, 2008 2:06 PM To: CF-Talk Subject: Re: Prevent Cross Site scripting So what do you recommend instead? The built in xxs protection doesn't catch everything. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303773 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4