Hi, Is there any quick and solid way to protect from XSS hacks in CF8? Would HTMLEditFormat() work? Any other tips would be great! Thanks
Although I strongly recommend sanitizing your data for what characters you *will* allow as opposed to just trying to filter ones that you know are bad, here is a little piece of code that I wrote sometime back as an extra stop gap to catch things I might have missed. You can drop this piece into your onRequestStart() to help your cause: <cfset variables.badchars = ">,%3c,<,%3e,=,%3d,',%27,"",%22" /> <cftry> <cfloop collection="#form#" item="i"> <cfloop list=#badchars# index="j"> <cfset form[i] = ReplaceNoCase(form[i],j,"","all") /> </cfloop> </cfloop> <cfloop collection="#url#" item="i"> <cfloop list=#badchars# index="j"> <cfset url[i] = ReplaceNoCase(url[i],j,"","all") /> </cfloop> </cfloop> <cfcatch/> </cftry> Code (markup): For more, here is a blog entry I wrote on the subject a couple of years ago: http://daveshuck.instantspot.com/bl...op-looking-for-bad-charactersstrings-to-block
BTW, if you do use this in your onRequestStart() as opposed to calling it as a custom tag from an Application.cfm or something, make sure to var scope your variables (i and j specifically) our you will end up with some *big* threading problems.