> I think that approach is asinine. To blindly sanitize
> variables with no regard for what they contain seems dumb.
> The correct answer to me would be to sanitize as necessary
> with functions like htmleditformat() at the point of use.
I don't think there is a single "correct" answer. That
So, what are your thoughts on using the following logic to prevent
cross-site scripting attacks:
Place code in Application.cfm to strip out ALL tags in all URL, FORM,
and COOKIE variables.
Note: this would not allow you to pass things like XML around in URL or
FORM fields.
I think that ap
On 8/7/07, Paul Vernon wrote:
> I guess I should qualify that and say, use HTMLEditFormat() and
> HTMLCodeFormat() on any *untrusted* user submitted content.
What's this "trust" thing of which you speak? :-)
I was trying to find a catch-all for cfquery cuz I just whent thru this
same deal a
> > For XSS then you really should be looking at using HTMLEditFormat()
> and
> > HTMLCodeFormat() to make any user submitted content safe.
>
> Damn. What does that do to WYSIWYG stuff?!?! And CF8 has this shiny
> DHTML editor...
>
I guess I should qualify that and say, use HTMLEditFormat() an
On 8/6/07, Paul Vernon wrote:
> I don't know how many times we've seen the subject of this thread over the
> last few years but it generally ends with Jochem blowing holes in every type
> of contrived SQL injection protection and the general consensus ends up
> being if you are worried about SQL in
I don't know how many times we've seen the subject of this thread over the
last few years but it generally ends with Jochem blowing holes in every type
of contrived SQL injection protection and the general consensus ends up
being if you are worried about SQL injection, use CFQUERYPARAM.
For XSS th
On 8/6/07, Justin Scott wrote:
> > Anyways, while I'm percolating, anyone have any
> > ideas? Doable, not-doable, done? Hmmm
>
> There was a link to a site earlier today where I found a XSSBlock custom
> CFML tag that has an option to block basic SQL injection attacks:
>
> http://www.illumine
> Anyways, while I'm percolating, anyone have any
> ideas? Doable, not-doable, done? Hmmm
There was a link to a site earlier today where I found a XSSBlock custom
CFML tag that has an option to block basic SQL injection attacks:
http://www.illumineti.com/documents/xssblock.txt
-Justin Sco
I've inherited a fusebox site that doesn't seem to have much
in the way of cfqueryparamed user-entered variables...
There are a bunch of queries, so I'm thinking of how I could
work lazy-er and yet fun-er. It's been a bit since I messed
with FB, but I was thinking perhaps I could create a circuit
9 matches
Mail list logo