Home > BlogCFC (READ ONLY) > General Questions > IE cross-site scripting
Next Page

1

Previous Page

Thread: IE cross-site scripting

Created on: 09/10/08 04:26 PM

Replies: 1

DouglasCWard


Member


Joined: 08/10/08

Posts: 12

IE cross-site scripting
09/10/08 4:26 PM

I saw discussion of this subject on the following thread:

http://www.coldfusionjedi.com/forums/messages.cfm?threadid=792A827C-19B9-E658-9D267ABF16F68DAC

But I'm not following the solution.

If I append the following url string, in IE I get a popup box that won't go away (the only way out is to force quit the app):

blog/index.cfm?id="></XSS/*-*/STYLE=xss:e/**/xpression(alert(097531))>

I've tried creating a function that scrubs all url variables, and slapped into the top of the application.cfm file:

<cffunction name="removeHTML" output="false" returntype="string">
<cfargument name="myString" required="no" type="string">
<cfset myString = REReplace(MyString, "<[^>]*>", "", "All")>
<cfset myString = REReplace(MyString, "<", "", "All")>
<cfset myString = REReplace(MyString, ">", "", "All")>
<cfreturn myString>
</cffunction>

<cfloop collection="#URL#" item="VarName">
<cfoutput>
<cfset URL[VarName] = removeHTML(URL[VarName]) />
</cfoutput>
</cfloop>

But that isn't working.

Any ideas?

Thanks,

Doug Ward

Link | Top | Bottom

admin


Experienced Member
admin's Gravatar

Joined: 04/08/04

Posts: 2489

RE: IE cross-site scripting
09/10/08 4:55 PM

I fixed it by editing index.cfm and subscribe.cfm. The only files that seem to be open to this. If you can wait, this will be released later this week (on blogcfc.riaforge.org).

Link | Top | Bottom

Next Page

1

Previous Page

New Post

Please login to post a response.