Prevent Cross-Site Scripting in ColdFusion 5
I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application.scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Prevent Cross-Site Scripting in ColdFusion 5
Have you checked CFLib.org yet? Great collection of UDF's. Maybe something there that can help you. Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com Donnie Carvajal wrote: I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application.scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331271 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Prevent Cross-Site Scripting in ColdFusion 5
I have checked CFLib.org. They have a couple of UDF's for handling URL variables, but nothing that appeared like it would parse through CGI.query_string or use some sort of regular expression to encode or remove unwanted vars without losing the variables by encoding the ampersand and equal signs. Have you checked CFLib.org yet? Great collection of UDF's. Maybe something there that can help you. Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com Donnie Carvajal wrote: I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application. scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331272 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Prevent Cross-Site Scripting in ColdFusion 5
It's easy enough to write your own function for this sort of thing. Here's the basis of how I might approach it: cfset REQUEST.qs = 'var1=andyvar2=Jaimevar3=Noelle' cfset REQUEST.qsArr = ArrayNew(1) cfloop index=REQUEST.outer list=#REQUEST.qs# delimiters= cfset REQUEST.key = ListFirst(REQUEST.outer,'=') cfset REQUEST.value = ListLast(REQUEST.outer,'=') /cfloop At that point you could do anything you wanted to with REQUEST.key or REQUEST.value. andy -Original Message- From: Donnie Carvajal [mailto:donnie.carva...@transformyx.com] Sent: Tuesday, March 02, 2010 4:34 PM To: cf-talk Subject: Re: Prevent Cross-Site Scripting in ColdFusion 5 I have checked CFLib.org. They have a couple of UDF's for handling URL variables, but nothing that appeared like it would parse through CGI.query_string or use some sort of regular expression to encode or remove unwanted vars without losing the variables by encoding the ampersand and equal signs. Have you checked CFLib.org yet? Great collection of UDF's. Maybe something there that can help you. Steve Cutter Blades Adobe Community Professional - ColdFusion Adobe Certified Professional Advanced Macromedia ColdFusion MX 7 Developer Co-Author of Learning Ext JS http://www.packtpub.com/learning-ext-js/book _ http://blog.cutterscrossing.com Donnie Carvajal wrote: I have an app that is written in ColdFusion 5 and there are several places in the app where CGI.query_string is used to set the query string on the href of an anchor tag. I need a clean way to scrub the CGI.query_string variable. I can't use URLEncodedFormat because all of the ampersands and equal signs will be encoded and then there won't be any query string variables. I can't use the application. scriptProtect variable because the app is in ColdFusion 5 and it can't be upgrade to any version of ColdFusion MX without some major work to fix errors. Does anyone know of a UDF, custom tag, CFX, etc. that I can use. Thanks, Donnie ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:331274 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm