How to handle Script Attack in application
We are facing issues of javascript getting embedded into message body, following is the code snippet of the javascript,
} {*\htmltag241 var DanaShimData="var DSJsFuncs = ,null,,,,[{nm:\"Refresh\",lcnm:\"refresh\",flg:0xb},{nm:\ \"Install\",flg:0xf},{nm:\"writeln\",flg:0x3f},{nm:\ "GotoURL\ \",flg:0xe},{nm:\"AddRoot\",lcnm:\"addroot\",flg:0xb},{nm:\ \"LoadURL\",lcnm:\"loadurl\",flg:0xb},{nm:\"addRule\ ",flg:0xf}, {nm:\"postURL\",lcnm:\"posturl\",flg:0x12},{nm:\ 开发者_高级运维 "replace\ \",flg:0x12f},],[{
Could anyone please let us know if you have observed such occurances / findings.
Any helps appreciated.
Thanks, Sudipta Ghosh
Try to use HTMLCodeFormat()
or HTMLEditFormat()
.
See docs.
There is a project called 'AntiSammy' (http://www.antisamy.net/) which uses files to combat XSS attacks that are provided by big sites like Slashdot and eBay. You may want to look at extracting the AntiSammy code to help you.
Here is a post by Peter Freitag on using AntiSammy without ColdBox. http://www.petefreitag.com/item/760.cfm
Here are the docs for the ColdBox Framework: http://wiki.coldbox.org/wiki/Plugins:AntiSamy.cfm
Also make sure you use cfqueryparams, captchas or some sort of session authentication form posts.
精彩评论