> On our websites, we use google search appliance (GSA). When a user enters a > search term, and submits the form, it goes to GSA.We are using GET method > hence the search term is passed as a URL variable. There is chance of > tampering the search term in the URL, for example adding alert statement to > the search term. When this is done, GSA just returns that no search results > are available. I am not understanding what is the impact of cross site > scripting with google search appliance. Does anyone have an idea on this?
By default, there isn't any impact, because as you observed, the GSA isn't going to do anything with that query parameter other than use it in server-side processing. But it is possible to modify the default XSLT to make it do dangerous things with inputs. You can avoid this problem by using CF as a proxy of sorts - instead of submitting the search form directly to the appliance, you could submit it back to CF, which could either validate values then redirect you to the GSA or make a CFHTTP call on your behalf. These things will increase the complexity of your application, though. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355147 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
