This content has been marked as final. Show 10 replies
> I hav been trying to block a vulnerability on our site that was reported by our
> scanning software.
> The example they gave was:
> So that the '<scrript>alert(11799913.8357)</script>' part of the url triggers
> the Alert popup, which - I guess means that the site is vulnerable for
> something more nasty to be injected.
> I have code to deal with url variables beling cleaned up in the
> application.cfm file, but nothing seems to block this bugger. Anyone else been
> down this path??
What version of CF are you on? The latest version has a cross scripting
blocking feature in the administrator.
htmlcodeformat() or htmleditformat()
version is 6.1 as in my post title.
htmlcodeformat() or htmleditformat() will not work, event happens before chance to throw code at it... try it in your site url and see.
have you tried the cf_inputfilter custom tag?
Thanks for the suggestion tho.
scopes = "[FORM][,COOKIE][,URL]"
chars = "list_of_chars"
tags = "ALL|list_of_tags">
it works for URLs, but, do whatever you need to get there.
thanks for the info, I will try it. So far thos this seems to trigger the alert box BEFORE any chance to manipulate url vars. I'll post back my results.
I tried cf_inputfilter, did not work for this,
<cf_inputFilter scopes = "URL" tags = "ALL">
How are you using the variable "block"? It seems like, you should be able to put some code in the application.cfc / application.cfm file that filters the values of the variables passed via URL. I'm not that familiar with cf_inputfilter, but it seems like as long as you are using it (or a similar UDF - check cftips.com?) before the variable "block" is placed in the HTML code it should filter it out for you.
>thanks for the info, I will try it. So far thos this seems to trigger the alert box >BEFORE any chance to manipulate url vars. I'll post back my results
Take a look in your HTML code for your compiled page and see where your alert() box is being inserted. It seems probable that your variable may be called from an include or an application file before it gets to your template (especially probable if you are using fusebox).
Trackdown where your variable is being used and then put your filter BEFORE that in the CF code.