Defending against Cross-Site Scripting

Previous page
Table of content
Next page

One way your web application be harmed is by cross-site scripting. This is simply the use of HTML and other codes within web based form. As a simple example, imagine a forums application that lets people write their own entries. Someone could write an entry that contained JavaScript code. When someone else views that page, the JavaScript code is executed just as if you had written it yourself. This could be very dangerous. Luckily, ColdFusion provides a simple solution. In chapter 19, you learned about the Application.cfc file and how you can configure ColdFusion applications via the THIS scope. You can simply add one more attribute to the THIS scope:

 <cfset THIS.scriptProtect="all">

This one line will clean all FORM, URL, CGI, and COOKIE variables. So for example, this line of text:

 <script>alert('hi');</script>

becomes

 <InvalidTag>alert('hi');</script>

You can specify just one of the above scopes instead of "ALL" if you want to be more specific. You can also turn on this feature automatically in the ColdFusion Administrator Settings page.


Previous page
Table of content
Next page
Macromedia Coldfusion MX 7 Web Application Construction Kit
Macromedia Coldfusion MX 7 Web Application Construction Kit
ISBN: 321223675
EAN: N/A
Year: 2006
Pages: 282
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Crystal Reports 9 on Oracle (Database Professionals)
Qshell for iSeries
SQL Hacks
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy