On Wed, Jan 20, 2010 at 9:39 AM, Clarke Bishop <cbis...@resultantsys.com> wrote: > But, then, for my admin pages, where I want to allow logged in users to > submit forms with <meta> tags and javascript, how do I disable the XSS > check. If the XSS check is in OnRequest, it already happened before I got to > the admin cfm page.
You can certainly do conditional logic inside the onRequest if you want. A combination of the user's authentication token and page/event/fuseaction name should be enough to conditionally allow certain content. Just be very very careful here, you may assume that authenticated users can be trusted more then the outside world. That is usually true, but it doesn't mean that someone you trust won't get hit by a XSS attack after they are already authenticated. You're likely not going to be a large enough target to worry too much about this, but it's something to be aware of. -Cameron -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: camer...@gmail.com ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
