Macromedia Coldfusion MX 7 Web Application Construction Kit

One way your web application be harmed is by cross-site scripting. This is simply the use of HTML and other codes within web based form. As a simple example, imagine a forums application that lets people write their own entries. Someone could write an entry that contained JavaScript code. When someone else views that page, the JavaScript code is executed just as if you had written it yourself. This could be very dangerous. Luckily, ColdFusion provides a simple solution. In chapter 19, you learned about the Application.cfc file and how you can configure ColdFusion applications via the THIS scope. You can simply add one more attribute to the THIS scope:

<cfset THIS.scriptProtect="all">

This one line will clean all FORM, URL, CGI, and COOKIE variables. So for example, this line of text:

<script>alert('hi');</script>

becomes

<InvalidTag>alert('hi');</script>

You can specify just one of the above scopes instead of "ALL" if you want to be more specific. You can also turn on this feature automatically in the ColdFusion Administrator Settings page.