Thursday, 28 May 2009

Preventing XSS in ColdFusion

How to prevent cross site scripting in ColdFusion. Useful page from The Dev Shack:
http://www.thedevshack.com/preventing-xss-cross-site-scripting-attacks-in-coldfusion/

Essentially:
  1. Enable Global Script Protection in your application. You can accomplish this by using the scriptProtect attribute in your application.cfc.
  2. You can also globally enable script protection at the server level via the ColdFusion Administrator. Under settings check Enable Global Script Protection.
  3. Use HTMLEditFormat around ANY variables that contain user submitted input.
  4. Search and replace any maliciuous data. Replace script tags, etc… with nothing.
  5. Validate user submitted input on the server side. Check data types and lengths.

1 comment:

Aaron Greenlee said...

Short and sweet. Thanks for the quick post.

Aaron Greenlee
htp://www.aarongreenlee.com/