Are you testing FORM or URL variables (or both)? Are you dumping (or emailing) the failed form/URL parameters so you can determine what may be triggering it? What type of redirect are you performing? (I'm returning a 403 error instead of redirecting.)
I am testing both form and URL scopes. If anything is found, it doesn't email or anything, it just redirects to the /index.cfm page.
I know _what_ is triggering it - I'm testing by placing HTML tags and HTML entities into a textarea. But I need to figure a way to get it to display an error message if triggered by a specific cgi.http_referer. In the Application.cfc, there is a line:
<cfif session.redirect eq 1> <cflocation url="/" addtoken="no" /> </cfif>
I modified this to:
<cfif session.redirect eq 1> <cfif trim(cgi.http_referer) eq "formpage.cfm"> Please correct the following: blah blah blah <cfabort> <cfelse> <cflocation url="/" addtoken="no" /> </cfif> </cfif>
.. but the root index page still appears within the DOM of the form page.
CGI.Referer can be spoofed, not passed by the browser or stripped by proxy. I wouldn't be entirely trustworthy of it except for during specific testing.
Do you know which rules are failing? You could create a copy of the portcullis.cfc, modify it to add some reporting and then use it during your personal session instead of the regular one.
Which version of ColdFusion and hosted OS are you using?
We had to write some exceptions for CKEditor HTML values, but we use JSoup to sanitize it to identify/remove non-approved HTML. It's extremely effective and no XSS or unsupported HTML tags or parameters are returned in the result. (I like this solution too because it allows me to rewrite HTML so that it's more compatible with all email HTML clients.)
JSOUP - How to get list of disallowed tags found in html?
AntiSamy is another possible solution to sanitize HTML, but I haven't used it.
Thank you for replying. This is soon to be a non-issue. The decision has been reached (and I like to think I helped push it along) to kick Portcullis to the curb - mostly because the last version was released January 2010. I am now in the process of trying to implement the new ESAPI for sanitization. So, I'll now be posting a question in the forum related to that.
Thanks, and V/r,