2 Replies Latest reply on May 12, 2015 9:37 AM by ronboy30

    Is it a best practice to use urlencodedformat() on all URL variables?

    ronboy30


      We are currently using mostly CF11 but still have one production server with CF9.  We run Webinspect and Nessus scans are consistently getting vulnerabilities stating things like blind sql injection, xss, etc.  These are happening on URL variables even with pages that have no sql at all.  My general question is it a best practice to always encase all url variables in the urlencodedformat tag to protect them?  We do have a shop best practice of always using cfqueryparam to protect against other types of sql injection.