subject:"\[ACFUG Discuss\] ScriptProtect=none"

RE: [ACFUG Discuss] ScriptProtect=none

2010-01-20 Thread Clarke Bishop

Thanks Shawn and Cameron!

 

You guys got me to start looking into this issue. I didn’t realize some of the 
possibilities that might have been unprotected. Fusionlink is my server ISP, so 
I will probably use Portcullis.

 

But, here’s my follow-up question. It makes sense to me to have the XSS checks 
happen automatically, for every request. Right? So, I could put the function 
calls in OnRequest in application.cfc.

 

But, then, for my admin pages, where I want to allow logged in users to submit 
forms with meta tags and javascript, how do I disable the XSS check. If the 
XSS check is in OnRequest, it already happened before I got to the admin cfm 
page.

 

Do I have to remember to handle this separately for all my pages, and then just 
turn it off when I need to. This seems messy, so I’m hoping there’s a better 
way!

 

Thanks for your ideas.

 

   Clarke

 

From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of shawn gorrell
Sent: Tuesday, January 19, 2010 6:26 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] ScriptProtect=none

 

Clark, IMO scriptprotect is a total and utter waste of time. Abandon it. 

If you're interested in something better, and more comprehensive, take a look 
at John's Portcullis component, or my cf_xssblock tag. Typically I use my tag 
in application (cfm or cfc), rather than on a per-page basis, but it will also 
work easily on a per-page basis. 

 

  _  

From: Clarke Bishop cbis...@resultantsys.com
To: discussion@acfug.org
Sent: Tue, January 19, 2010 5:41:26 PM
Subject: [ACFUG Discuss] ScriptProtect=none

I know it’s a good practice to use CF’s ScriptProtect feature.

 

But, I have an admin page in a CMS, and I need to be able to turn off 
ScriptProtect for that page. Otherwise, CF inserts InvalidTag messages!

 

Is there a way to turn off ScriptProtect for one page only? 

 

Thanks for any ideas!

 

   Clarke


- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink http://www.fusionlink.com  
- 


- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink http://www.fusionlink.com  
- 




-

To unsubscribe from this list, manage your profile @ 

http://www.acfug.org?fa=login.edituserform



For more info, see http://www.acfug.org/mailinglists

Archive @ http://www.mail-archive.com/discussion%40acfug.org/

List hosted by http://www.fusionlink.com

-

Re: [ACFUG Discuss] ScriptProtect=none

2010-01-20 Thread shawn gorrell

Clarke, 

I can't speak to how Portcullis does it, but cf_xssblock allows for you to 
exclude fields from each of the different sets of rules. It isn't exactly a 
scalpel, but it isn't exactly the club that earlier versions used to be. 

You're right about using it in onRequest, which was my intent of the tag. You 
could always have conditionally based tag invocations using the path.

S





From: Clarke Bishop cbis...@resultantsys.com
To: discussion@acfug.org
Sent: Wed, January 20, 2010 9:39:06 AM
Subject: RE: [ACFUG Discuss] ScriptProtect=none

 
Thanks Shawn and Cameron!
 
You guys got me to start looking into this issue. I didn’t
realize some of the possibilities that might have been unprotected. Fusionlink
is my server ISP, so I will probably use Portcullis.
 
But, here’s my follow-up question. It makes sense to me to have
the XSS checks happen automatically, for every request. Right? So, I could put
the function calls in OnRequest in application.cfc.
 
But, then, for my admin pages, where I want to allow logged in
users to submit forms with meta tags and javascript, how do I disable
the XSS check. If the XSS check is in OnRequest, it already happened before I
got to the admin cfm page.
 
Do I have to remember to handle this separately for all my
pages, and then just turn it off when I need to. This seems messy, so I’m
hoping there’s a better way!
 
Thanks for your ideas.
 
   Clarke
 
From:ad...@acfug.org
[mailto:ad...@acfug.org] On Behalf Of shawn gorrell
Sent: Tuesday, January 19, 2010 6:26 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] ScriptProtect=none
 
Clark,
IMO scriptprotect is a total and utter waste of time. Abandon it. 

If you're interested in something better, and more comprehensive, take a look
at John's Portcullis component, or my cf_xssblock tag. Typically I use my tag
in application (cfm or cfc), rather than on a per-page basis, but it will also
work easily on a per-page basis. 
 


 
From:Clarke Bishop
cbis...@resultantsys.com
To: discussion@acfug.org
Sent: Tue, January 19, 2010 5:41:26 PM
Subject: [ACFUG Discuss] ScriptProtect=none
I know it’s a good practice to use CF’s ScriptProtect feature.
 
But, I have an admin page in a CMS, and I need to be able to
turn off ScriptProtect for that page. Otherwise, CF inserts InvalidTag
messages!
 
Is there a way to turn off ScriptProtect for one page only? 
 
Thanks for any ideas!
 
   Clarke

- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink 
- 

- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink 
- 
- 
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform 

For more info, see http://www.acfug.org/mailinglists 
Archive @ http://www.mail-archive.com/discussion%40acfug.org/ 
List hosted by FusionLink 
-


-

To unsubscribe from this list, manage your profile @ 

http://www.acfug.org?fa=login.edituserform



For more info, see http://www.acfug.org/mailinglists

Archive @ http://www.mail-archive.com/discussion%40acfug.org/

List hosted by http://www.fusionlink.com

-

Re: [ACFUG Discuss] ScriptProtect=none

2010-01-20 Thread Cameron Childress

On Wed, Jan 20, 2010 at 9:39 AM, Clarke Bishop cbis...@resultantsys.com wrote:
 But, then, for my admin pages, where I want to allow logged in users to
 submit forms with meta tags and javascript, how do I disable the XSS
 check. If the XSS check is in OnRequest, it already happened before I got to
 the admin cfm page.

You can certainly do conditional logic inside the onRequest if you
want.  A combination of the user's authentication token and
page/event/fuseaction name should be enough to conditionally allow
certain content.

Just be very very careful here, you may assume that authenticated
users can be trusted more then the outside world.  That is usually
true, but it doesn't mean that someone you trust won't get hit by a
XSS attack after they are already authenticated.  You're likely not
going to be a large enough target to worry too much about this, but
it's something to be aware of.

-Cameron

-- 
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell:  678.637.5072
aim:   cameroncf
email: camer...@gmail.com


-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

[ACFUG Discuss] ScriptProtect=none

2010-01-19 Thread Clarke Bishop

I know it's a good practice to use CF's ScriptProtect feature.

 

But, I have an admin page in a CMS, and I need to be able to turn off
ScriptProtect for that page. Otherwise, CF inserts InvalidTag messages!

 

Is there a way to turn off ScriptProtect for one page only? 

 

Thanks for any ideas!

 

   Clarke




-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] ScriptProtect=none

2010-01-19 Thread Cameron Childress

On Tue, Jan 19, 2010 at 5:41 PM, Clarke Bishop cbis...@resultantsys.com wrote:
 I know it’s a good practice to use CF’s ScriptProtect feature.

I'm not sure I agree with that.  There are many other better solutions
that cover you alot more completely.

-Cameron

-- 
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell:  678.637.5072
aim:   cameroncf
email: camer...@gmail.com


-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] ScriptProtect=none

Re: [ACFUG Discuss] ScriptProtect=none

Re: [ACFUG Discuss] ScriptProtect=none

[ACFUG Discuss] ScriptProtect=none

Re: [ACFUG Discuss] ScriptProtect=none

5 matches

Site Navigation

Mail list logo

Footer information