How to prevent script tags and other XSS objects from being inserted into db?

Question

How to prevent script tags and other XSS objects from being inserted into db?

I have a form that contains many text fields. All text fields are required. Since these are text fields, I cannot use specific validation except for the length. But I do not want users to insert tags that are vulnerable to xss attacks.

I know that in ColdFusion I can use htmlEditFormat (), encodeForHTML () when displaying user data to prevent XSS, but I just want to not let those who embed in db.GlobalScriptProtect also don't add a lot of security according to my knowledge. Since I am in CF10, so I can not use getSafeHTML ()

Is there a way to prevent the malicious entries of this data from entering the database in CF10. Can I go for client-side sensitization?

+1

coldfusion xss coldfusion-10

user3427540 Sep 26 '14 at 12:03

source share

1 answer

Sollinger04 · Answer 1 · 2014-09-26T13:24:55+0000

There is a UDF file on CFlib.org isXss that checks the value to determine if it is xss. I used this function and created a special tag to check each form field and query string field before I submit it to the database. After implementing this, I was able to go through countless PCI scans and had no xss issues.

How to prevent script tags and other XSS objects from being inserted into db?

More articles: