Skip CFapplication locks (object, embed, …)

***annuncioVideo***CFApplication lock OBJECT and EMBED (HTML tags), like they wrote in documentation page:

The ColdFusion MX cross-site scripting protection operation is done when ColdFusion MX processes the application settings at the beginning of a request. Thus, it can process the URL, and Cookie, CGI, and Form variables in a user’s request. By default, it replaces occurrences of the following tag names with the text InvalidTag: object, embed, script, applet, and meta. It allows these names in plain text, replaces the words if they are used as tag names.

 

OBJECT and EMBED tags are used for almost all online video sharing services. If you created a CMS when users can insert a shared video, you must skip this little trouble, without too many security bugs. An easy roadmap maybe change that tags before and after CFApplication, but changing only selected fields. I’ve tried with encrypt and decrypt and with CFWDDX too, all works good! Example1:

<cfif isDefined("form.video")> <cfwddx action="cfml2wddx" input="#form.video#" output="form.video"> </cfif> <cfapplication name="myApp" clientmanagement="yes" sessionmanagement="yes"> <cfif isDefined("form.video")> <cfwddx action="wddx2cfml" input="#form.video#" output="form.video"> </cfif>

 

Instead of CFWDDX you can use encrypt and decrypt:

<cfset key = "kt09j94rjfj438yhrf"> <cfif isDefined("form.video")> <cfset form.video=encryp(form.video,key)> </cfif> <cfapplication name="myApp" clientmanagement="yes" sessionmanagement="yes"> <cfif isDefined("form.video")> <cfset form.video=decrypt(form.video,key)> </cfif>

 

Bye. Have a good CFDay! (italian version)

Loading Facebook Comments ...

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *