scriptProtect ColdFusion 9 -


I'm trying to use scriptProtect , but I was wondering if something There is also more that I need to do as much as possible to secure my application. Also, is scriptProtect working as HTMLEditFormat or is it completely different?

And in the end my application is under some other application ex: example.com/myapp/index.cfm to me the main application.cfc Add scriptProtect under script> example.com ? And if so, should I expect errors from the main app due to this tag? Should I write the component that extends and add application.cfc and scriptProtect to it?

Henry is on the right track. Certainly you trust scriptProtect functionality Though I think it is okay to use it in conjunction with other verification methods. And, for its value, Coldfusion Adminator has a global setting that enables scriptProtect for all applications running under that instance, its name has been named "Global Script Protection Enabled" in the Administrator. And it can be found under the settings menu.

scriptProtect setting is completely different from HTMLEditFormat and encoder XXX () function I just wanted to indicate that scriptProtect and / or "Global Script Protection" rules can be customized This setting works by applying a regular expression that can be found in the server configuration file, or cf_root / WEB-INF / cfusion / lib / neo-security.xml file variable value in JEE configuration The U. By modifying the regular expression in the CrossSiteScriptPatterns variable, you can customize the pattern you replace from the coldfusion.

The default regular expression is defined as such: 

  & lt; Var name = 'crosssitescript adapter' & gt; & Lt; Struct type = 'coldfusion.server.ConfigMap' & gt; & Lt; Var name = '& amp; the lift; \ S * (object | embed | script | applet | meta) '& gt; & Lt; String & gt; & Amp; Lt; InvalidTag & lt; / String & gt; & Lt; / Var & gt; & Lt; / Struct & gt; & Lt; / Var & gt;

This means, by default, the global script security mechanism should only be of and or and embeds Looking for or & lt; The script or & lt; Applet or & lt; Meta in form , URL , CGI , and cookie scopes and lt ; InvalidTag has been replaced with . If you wish, you can increase regular expression to see more cases and / or change the replacement string.

View


Comments

Post a Comment