I am getting the ScriptProtect error replacing insecure tag in scope CGI error. This was brought up two other times in the history of the forum. Additionally it has not been truly addressed over the web. The problem that I am having is that the way that this is being addressed is very cursory. We all know that this can happen when ScriptProtect=all is turned on in the <cfapplication tag. The problem is that this is not related to the lib/neo-security.xml file. It can be resolved by removing the scriptprotect attribute, but we need this attribute for help with XSS attacks. I am running this on our site and though that it could have been something that I was passing in the URL but that is not the case. In fact, after removing all of the querystring and just calling the website directly after receiving that error. The error persists. It doesn't go away until I refresh the home page, close my browser or clear my cache.
The problem remains that when I go to a page, and pass certain values (which are not XSS related) and are not filitered out with the lib/neo-security.xml file I still get this error. Where is this error generated? Why does it reference the CGI scope of all things? How can this be resolved without removing the scriptprotect attribute?
Sincerely,
Braden Lake
4
Replies
AdChoices