问题
I have a form which contains many text boxes. All the text boxes are required fields. As these are textboxes I can not use specific validation except the length. But i do not want to allow the users to insert tags that are vulnerable to xss attacks.
I know in ColdFusion i can use htmlEditFormat(),encodeForHTML() while displaying user data for preventing XSS, But I just want to prevent those from inserting to db.'GlobalScriptProtect' option also does not add much security as per my knowledge. As I am in CF10, so can not use getSafeHTML()
Is there any way to prevent theses malicious inputs from inserting into the DB in CF10. Can I go for client side sensitization ?
回答1:
There is a UDF on CFlib.org isXss that checks a value to determine if it is xss. I have used this function and built a custom tag to check every form field and query string field before I submit it to the database. After implementing this, I have been able to pass countless PCI scans and have not had any xss issues.
来源:https://stackoverflow.com/questions/26059129/how-to-prevent-script-tags-and-other-xss-entities-from-being-inserted-into-the-d