Clarke, I can't speak to how Portcullis does it, but cf_xssblock allows for you to exclude fields from each of the different sets of rules. It isn't exactly a scalpel, but it isn't exactly the club that earlier versions used to be.
You're right about using it in onRequest, which was my intent of the tag. You could always have conditionally based tag invocations using the path. S ________________________________ From: Clarke Bishop <cbis...@resultantsys.com> To: discussion@acfug.org Sent: Wed, January 20, 2010 9:39:06 AM Subject: RE: [ACFUG Discuss] ScriptProtect="none" Thanks Shawn and Cameron! You guys got me to start looking into this issue. I didn’t realize some of the possibilities that might have been unprotected. Fusionlink is my server ISP, so I will probably use Portcullis. But, here’s my follow-up question. It makes sense to me to have the XSS checks happen automatically, for every request. Right? So, I could put the function calls in OnRequest in application.cfc. But, then, for my admin pages, where I want to allow logged in users to submit forms with <meta> tags and javascript, how do I disable the XSS check. If the XSS check is in OnRequest, it already happened before I got to the admin cfm page. Do I have to remember to handle this separately for all my pages, and then just turn it off when I need to. This seems messy, so I’m hoping there’s a better way! Thanks for your ideas. Clarke From:ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of shawn gorrell Sent: Tuesday, January 19, 2010 6:26 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] ScriptProtect="none" Clark, IMO scriptprotect is a total and utter waste of time. Abandon it. If you're interested in something better, and more comprehensive, take a look at John's Portcullis component, or my cf_xssblock tag. Typically I use my tag in application (cfm or cfc), rather than on a per-page basis, but it will also work easily on a per-page basis. ________________________________ From:Clarke Bishop <cbis...@resultantsys.com> To: discussion@acfug.org Sent: Tue, January 19, 2010 5:41:26 PM Subject: [ACFUG Discuss] ScriptProtect="none" I know it’s a good practice to use CF’s ScriptProtect feature. But, I have an admin page in a CMS, and I need to be able to turn off ScriptProtect for that page. Otherwise, CF inserts <InvalidTag> messages! Is there a way to turn off ScriptProtect for one page only? Thanks for any ideas! Clarke ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
