Skip to main content

Preventing XSS in ColdFusion

By
How to prevent cross site scripting in ColdFusion. Useful page from The Dev Shack:
http://www.thedevshack.com/preventing-xss-cross-site-scripting-attacks-in-coldfusion/

Essentially:
  1. Enable Global Script Protection in your application. You can accomplish this by using the scriptProtect attribute in your application.cfc.
  2. You can also globally enable script protection at the server level via the ColdFusion Administrator. Under settings check Enable Global Script Protection.
  3. Use HTMLEditFormat around ANY variables that contain user submitted input.
  4. Search and replace any maliciuous data. Replace script tags, etc… with nothing.
  5. Validate user submitted input on the server side. Check data types and lengths.
Labels:

Comments

Aaron Greenlee said…
Short and sweet. Thanks for the quick post.

Aaron Greenlee
htp://www.aarongreenlee.com/
29 May 2009 at 01:09
Post a comment

Popular posts from this blog

Take website screenshot using ASP.NET

By
Utilising a hidden web browser control it is possible to take a screenshot of any website. The code shown below is based on an article at plentyofcode.com (sorry the site now appears to be offline May 2012) but I have translated it from VB.NET to C# and will work in .NET so theoretically for any Windows or ASP.NET web project.
using System; using System.Drawing; using System.Drawing.Imaging; using System.Windows.Forms; using System.Diagnostics; namespace WebsiteScreenshot { public class GetImage { private int s_Height; private int s_Width; private int f_Height; private int f_Width; private string myURL; public int ScreenHeight { get { return s_Height; } set { s_Height = value; } } public int ScreenWidth { get { return s_Width; } set { s_Width = value; } } public int ImageWidth { get { return f_Width; } set { f_Width = value; } } public int ImageHeight { get { return f_Height; } set { f_Height = value; } } public string Website …
2 comments
Read more

John Hamblin Furniture Restorer - New Website

By
I was asked to produce a new website for local furniture restorer and cabinet maker John Hamblin. Having struggled with another provider who failed to deliver a finished website I was asked to take the website on and produce a simple site that communicates their values of high quality workmanship and excellent customer service.

The new website is live and can be viewed here:
http://www.johnhamblinfurniturerestorer.co.uk/



Post a comment
Read more

Compress and de-compress strings in C#

By
A collection of resources on compressing and encrypting strings in C#.
Microsoft documentation on the System.IO.Compression.GZipStream class:
http://msdn.microsoft.com/en-us/library/system.io.compression.gzipstream.aspx
Helpful example class utilising GZip:
http://www.csharphelp.com/2007/09/compress-and-decompress-strings-in-c/
The GZipStream class is predominantly used for file compression but can be used efficiently for compressing strings of 300-400 characters or more. Below 300 characters there isn’t any measurable gain from the compression and for particularly short strings the compressed version may in fact be larger.
Class provided by C Sharp Help:
using System.IO.Compression;
using System.Text;
using System.IO;
public static string Compress(string text)
{
    byte[] buffer = Encoding.UTF8.GetBytes(text);
    MemoryStream ms = new MemoryStream();
    using (GZipStream zip = new GZipStream(ms, CompressionMode.Compress, true))����…
Post a comment
Read more