Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Stop Script Attacks in cfinput
- Thread starter brantGuy
- Start date
- Thread starter
- #2
imstillatwork
IS-IT--Management
this.scriptProtect in the ini / construct area of the application.cfc
OR
scriptProtect="all" as an attribute in <cfapplication tag
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
OR
scriptProtect="all" as an attribute in <cfapplication tag
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
imstillatwork
IS-IT--Management
application.cfc should say this.scriptProtect = "all";
all can be changed to just a list of the scopes you want to protect also
from a website somewhere...
'With scriptProtect ColdFusion can protect variables in URL, Cookie, CGI, and Form scopes by replacing object, embed, script, applet, and meta tags with the text “InvalidTag”.'
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
all can be changed to just a list of the scopes you want to protect also
from a website somewhere...
'With scriptProtect ColdFusion can protect variables in URL, Cookie, CGI, and Form scopes by replacing object, embed, script, applet, and meta tags with the text “InvalidTag”.'
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
Kevin, that's interesting. Is it a good idea to do this.scriptProtect = "all"; even when not using the cftextarea?
The quote you posted from some web site says this will also protect URL and cookies and {html) Form scope.
So how do you add this tag in application.cfc or application.cfm? As a <cfset> var? In the <cfapplication> attribute?
____________________________________
Just Imagine.
The quote you posted from some web site says this will also protect URL and cookies and {html) Form scope.
So how do you add this tag in application.cfc or application.cfm? As a <cfset> var? In the <cfapplication> attribute?
____________________________________
Just Imagine.
Hope This Helps!
ECAR
ECAR Technologies
"My work is a game, a very serious game." - M.C. Escher
- Thread starter
- #7
spam is down today from about 80 messages to about 10 messages...
so things are working...although 10 is still to many...
I need now to get a curse word filter.. and if someone says a bad word, block their message...
Thanks again for the suggestions..
so things are working...although 10 is still to many...
I need now to get a curse word filter.. and if someone says a bad word, block their message...
Thanks again for the suggestions..
imstillatwork
IS-IT--Management
look for cfformprotect also
I think its project is hosted on RIAForge its a very unobtrusive way to fight spam, requires no user intervention like captchas do.
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
I think its project is hosted on RIAForge its a very unobtrusive way to fight spam, requires no user intervention like captchas do.
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
imstillatwork
IS-IT--Management
a word filter can be as simple as creating a list of words as a variable and finding those words in the form post.
Now there are so many ways to improve this - this is just a start. Consider things like what is a real good word contains a badword as part of it?
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
Code:
<cfset lsBadWords = "thisbad1,bad2,bad3,bad4">
<cfset form.inputFieldName = "this is my list of bad words. thisbad1 is a very bad word. bad2 is even worse. bad 3 is not, but bad3 is!">
<cfoutput><p>#form.inputFieldName#</p></cfoutput>
<cfloop list="#lsBadWords#" index="iBadWord">
<cfset form.inputFieldName = replaceNoCase(form.inputFieldName,iBadWord,repeatString("*",len(iBadWord)))>
</cfloop>
<cfoutput><p>#form.inputFieldName#</p></cfoutput>Now there are so many ways to improve this - this is just a start. Consider things like what is a real good word contains a badword as part of it?
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
On my site I use two techniques:
1) A JS badwords scrubber - this method throws an onKeyUp alert when bad words are entered in the field.
2) A server side script for users who might have JS turned off or using browsers that go iffy with the JS code.
To see the client side implementation, go to my site and under CONTACT US try using a known badword and see what happens.
____________________________________
Just Imagine.
1) A JS badwords scrubber - this method throws an onKeyUp alert when bad words are entered in the field.
2) A server side script for users who might have JS turned off or using browsers that go iffy with the JS code.
Code:
[b]SERVER SIDE CODE:[/b]
<cfset bad_words = "word1,word2,word3,word4,word5">
<cfif ListFindNoCase(bad_words,'#FORM.Name#')>
<cflocation url="page1.cfm?status=2" addtoken="no">
</cfif>
<cfif ListFindNoCase(bad_words,'#FORM.Email#')>
<cflocation url="page1.cfm?status=2" addtoken="no">
</cfif>
NOTE: The [COLOR=red]status=2[/color] is an indicator that bad words were used. So on "page1.cfm" you do a CFIF isdefined("status") and status=2 to send a proper message letting the user know to be niceTo see the client side implementation, go to my site and under CONTACT US try using a known badword and see what happens.
____________________________________
Just Imagine.
Sorry, I meant to say onBlur and not onKeyUp. Obviously the user has to spell the full word for the JS scrubber to kick in.
____________________________________
Just Imagine.
____________________________________
Just Imagine.
- Thread starter
- #13
imstillatwork
IS-IT--Management
cool! are you keeping all messages and marking the spam as 'spam' so you can check to make sure your not marking any falsely?
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
- Thread starter
- #15
no...
thats a great idea but I just dont have the time to administrate it in that fashion. If I did, I would just have kept the queue and had the messages posted there for approval.
I want to say thanks to everyone for their great help on this, I really appriciate it..
Craig
thats a great idea but I just dont have the time to administrate it in that fashion. If I did, I would just have kept the queue and had the messages posted there for approval.
I want to say thanks to everyone for their great help on this, I really appriciate it..
Craig
imstillatwork
IS-IT--Management
na, your already checking if a message is spam or not. If it is not spam, your adding it to the DB. well, add all messages to the db, but just mark the spam as spam. on the display pages, only look up messages that are not marked spam. no extra admin - but if you ever want you can monitor your spam accuracy.
glad it's working though
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
glad it's working though
Kevin
Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!
- Thread starter
- #17
i understand that aspect of it but where im obsessive compulsive I will be check the spam display 5 times an hour to make sure that only spam is going in there...
This would be viable if I was doing it for a client, and i probably will add in the feature...
Craig
This would be viable if I was doing it for a client, and i probably will add in the feature...
Craig
- Status
Similar threads
