We are currently using mostly CF11 but still have one production server with CF9. We run Webinspect and Nessus scans are consistently getting vulnerabilities stating things like blind sql injection, xss, etc. These are happening on URL variables even with pages that have no sql at all. My general question is it a best practice to always encase all url variables in the urlencodedformat tag to protect them? We do have a shop best practice of always using cfqueryparam to protect against other types of sql injection.
Yes, for anything that might contain special characters and anything from the client browser. There is also a family of editHTMLFormat functions that should be used for all html tag data (CF11 added several form OWASP recommendations).
Thanks Steve, I have put it around several of the URL variables on the pages with the findings. Will run another scan in the next few days and hopefully that will fix it.