RE: [ACFUG Discuss] ScriptProtect=none
Thanks Shawn and Cameron! You guys got me to start looking into this issue. I didn’t realize some of the possibilities that might have been unprotected. Fusionlink is my server ISP, so I will probably use Portcullis. But, here’s my follow-up question. It makes sense to me to have the XSS checks happen automatically, for every request. Right? So, I could put the function calls in OnRequest in application.cfc. But, then, for my admin pages, where I want to allow logged in users to submit forms with meta tags and javascript, how do I disable the XSS check. If the XSS check is in OnRequest, it already happened before I got to the admin cfm page. Do I have to remember to handle this separately for all my pages, and then just turn it off when I need to. This seems messy, so I’m hoping there’s a better way! Thanks for your ideas. Clarke From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of shawn gorrell Sent: Tuesday, January 19, 2010 6:26 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] ScriptProtect=none Clark, IMO scriptprotect is a total and utter waste of time. Abandon it. If you're interested in something better, and more comprehensive, take a look at John's Portcullis component, or my cf_xssblock tag. Typically I use my tag in application (cfm or cfc), rather than on a per-page basis, but it will also work easily on a per-page basis. _ From: Clarke Bishop cbis...@resultantsys.com To: discussion@acfug.org Sent: Tue, January 19, 2010 5:41:26 PM Subject: [ACFUG Discuss] ScriptProtect=none I know it’s a good practice to use CF’s ScriptProtect feature. But, I have an admin page in a CMS, and I need to be able to turn off ScriptProtect for that page. Otherwise, CF inserts InvalidTag messages! Is there a way to turn off ScriptProtect for one page only? Thanks for any ideas! Clarke - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] ScriptProtect=none
Clarke, I can't speak to how Portcullis does it, but cf_xssblock allows for you to exclude fields from each of the different sets of rules. It isn't exactly a scalpel, but it isn't exactly the club that earlier versions used to be. You're right about using it in onRequest, which was my intent of the tag. You could always have conditionally based tag invocations using the path. S From: Clarke Bishop cbis...@resultantsys.com To: discussion@acfug.org Sent: Wed, January 20, 2010 9:39:06 AM Subject: RE: [ACFUG Discuss] ScriptProtect=none Thanks Shawn and Cameron! You guys got me to start looking into this issue. I didn’t realize some of the possibilities that might have been unprotected. Fusionlink is my server ISP, so I will probably use Portcullis. But, here’s my follow-up question. It makes sense to me to have the XSS checks happen automatically, for every request. Right? So, I could put the function calls in OnRequest in application.cfc. But, then, for my admin pages, where I want to allow logged in users to submit forms with meta tags and javascript, how do I disable the XSS check. If the XSS check is in OnRequest, it already happened before I got to the admin cfm page. Do I have to remember to handle this separately for all my pages, and then just turn it off when I need to. This seems messy, so I’m hoping there’s a better way! Thanks for your ideas. Clarke From:ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of shawn gorrell Sent: Tuesday, January 19, 2010 6:26 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] ScriptProtect=none Clark, IMO scriptprotect is a total and utter waste of time. Abandon it. If you're interested in something better, and more comprehensive, take a look at John's Portcullis component, or my cf_xssblock tag. Typically I use my tag in application (cfm or cfc), rather than on a per-page basis, but it will also work easily on a per-page basis. From:Clarke Bishop cbis...@resultantsys.com To: discussion@acfug.org Sent: Tue, January 19, 2010 5:41:26 PM Subject: [ACFUG Discuss] ScriptProtect=none I know it’s a good practice to use CF’s ScriptProtect feature. But, I have an admin page in a CMS, and I need to be able to turn off ScriptProtect for that page. Otherwise, CF inserts InvalidTag messages! Is there a way to turn off ScriptProtect for one page only? Thanks for any ideas! Clarke - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] ScriptProtect=none
On Wed, Jan 20, 2010 at 9:39 AM, Clarke Bishop cbis...@resultantsys.com wrote: But, then, for my admin pages, where I want to allow logged in users to submit forms with meta tags and javascript, how do I disable the XSS check. If the XSS check is in OnRequest, it already happened before I got to the admin cfm page. You can certainly do conditional logic inside the onRequest if you want. A combination of the user's authentication token and page/event/fuseaction name should be enough to conditionally allow certain content. Just be very very careful here, you may assume that authenticated users can be trusted more then the outside world. That is usually true, but it doesn't mean that someone you trust won't get hit by a XSS attack after they are already authenticated. You're likely not going to be a large enough target to worry too much about this, but it's something to be aware of. -Cameron -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: camer...@gmail.com - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
[ACFUG Discuss] ScriptProtect=none
I know it's a good practice to use CF's ScriptProtect feature. But, I have an admin page in a CMS, and I need to be able to turn off ScriptProtect for that page. Otherwise, CF inserts InvalidTag messages! Is there a way to turn off ScriptProtect for one page only? Thanks for any ideas! Clarke - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] ScriptProtect=none
On Tue, Jan 19, 2010 at 5:41 PM, Clarke Bishop cbis...@resultantsys.com wrote: I know it’s a good practice to use CF’s ScriptProtect feature. I'm not sure I agree with that. There are many other better solutions that cover you alot more completely. -Cameron -- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: camer...@gmail.com - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -