0 Replies Latest reply on Jan 13, 2009 6:26 AM by CFMLGuru

    XSS Prevention - Urgent Timeline

    CFMLGuru Level 1
      I am familiar with scriptprotect and modifying the configuration file to include certain strings that should be stripped from the user input. I have looked at CFLibs SafeText. But I can't see a solution anywhere for things like %2F, which translates in the system as /. I tried doing a ReFindNoCase("%[0-9]+",text) but it doesn't seem to be working. Do I have my regular expression setup incorrectly? I am trying to find any instances where an XSS attack may be occuring and deny further interaction.

      There was an example given to me that helped me see the light. https://www.yourwebsite.com/index.cfm?fuseaction=company.ANYTHING%22%2Balert(%27XSS-Inser t_Evil_Script_Here%27)%2B%22.

      Thank you in advance.