> I haven't mentioned this before because I do believe that filtering >> request URLs is the wrong approach > > Care to elaborate on this?
Denstar, dig out your neo-security.xml file. In my Windows CF8 standalong install it is located in C:\ColdFusion8\lib\neo-security.xml Look at the following section: <var name="CrossSiteScriptPatterns"> <struct type="coldfusion.server.ConfigMap"> <var name="<\s*(object|embed|script|applet|meta)"> <string><InvalidTag</string> </var> </struct> </var> When you check the "Enable Global Script Protection" check box on the Settings page of ColdFusion Administartor, requests are filtered if anything in the Form, URL, CGI, or Cookie scope matches this regex: "<\s*(object|embed|script|applet|meta)" What Jochem is saying, is to add to that regex to filter for whatever else you want and enable that setting. While I agree with Jochem that request filtering is NOT the appropriate way to secure your application, this is a rather slick approach. Also note, this is NOT rewriting. It is not happinging at the network level, nor is it happening at the web server level (Aache, IIS). The requests are filtered when they reach ColdFusion. ~Brad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:311114 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4