<div>
also CF8 has an<br />
<br />
Enable Global Script Protection <br />
Specify whether to protect Form, URL, CGI, and Cookie scope variables from cross-site scripting attacks. <br />
<br />
check box in cfadmin (which should be -on- by default after install but isn't so turn it on)
</div>


<div>
hi <br />
--sidfishes thanks for u r solution and the link which u have given for security Compass i have seen in the known issues page that it is not compatible with firefox 3 and iam using firefox 3 only.<br />
--The Blocker.cfm (opensource) which uses <br />
var rePattern = createObject('java', 'java.util.regex.Pattern')<wbr />; <br />
which works fine in cfmx 7 but it gives error in cfmx6.1 because in the production server we are using cfmx 6.1 because i gone through this issue whle working on exporting excel data to database which works fine in cf 7 but it gives error in cf 6 so we have changed the whole logic and anyways thanks for ur solution i will work on this and know u the updates..
</div>


<div>
Security Compass hasn't updated that page yet .... version 0.40 is compatible with FF3 (I'm using FF3.0.7)<br />
<br />
The blocker is an extra layer and not entirely necessary. The replacenocase regex will prevent most if not all attacks. <br />
<br />
One other thing to note...you should make sure that -all- of your query variables are protected using cfqueryparam. This is recommended by Adobe (and me!) <br />
<br />
&lt;cfquery name=&quot;test&quot;....&gt;<br />
select * from tblk where id = &lt;cfqueryparam cfsqltype=&quot;cf_sql_integer&quot;<wbr /> value=&quot;#form.id#&quot;&gt;<br />
&lt;/cfquery&gt;<br />

</div>


<div>
hi sidfished thanks for u r solution and <br />
&nbsp;i have done my application scan go through this link u will understand<br />
<a href="http://www.codersrevolution.com/index.cfm/2008/7/24/Parameterize-your-queries-without-lifting-a-finger" rel="ugc">http://www.codersrevolution.com/index.cfm/2008/7/24/Parameterize-your-queries-without-lifting-a-finger</a><br />
it will replace the query with cfqueryparam and maximum all the queries have been replaced and my problem is it got replaced with only &lt;cfqueryparam vaule=&quot;sdd&quot;&gt; and there is no sqltype it is enough to solve the sql injection<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;thanks.<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;shariff<br />

</div>


<div>
please don't forget to close the question
</div>


<div>
<div class="content wysiwyg-content">
hi all<br />
the testing people has scanned the application i.e.,,(machine test) and found &nbsp;that The test successfully embedded a script in the response, and it will be executed once the page is<br />
loaded in the user's browser. This means that the application is vulnerable to Cross-Site Scripting and they told us to Filter out hazardous characters from user input and iam unable to find a solution any help woul be kindly appreciated..<br />

<pre><code class="code-1 nolinks" id="code-261170"><span>&lt;form name=&quot;login&quot; method=&quot;post&quot; action=&quot;index.cfm?</span>
<span>lang=en&amp;var1=0&quot;&gt;&lt;/STYLE&gt;&lt;STYLE&gt;@import&quot;javascript:alert(1214948) 1214948)&quot;;&lt;/STYLE&gt;</span>
<span>&amp;CustNo=|&amp;Page=5&amp;index=true&quot;&gt;</span>
</code></pre>
</div>
</div>


hi all
the testing people has scanned the application i.e.,,(machine test) and found  that The test successfully embedded a script in the response, and it will be executed once the page is
loaded in the user's browser. This means that the application is vulnerable to Cross-Site Scripting and they told us to Filter out hazardous characters from user input and iam unable to find a solution any help woul be kindly appreciated..

Cross Site Scripting in Coldfusion

A web server refers to the software that helps to deliver web content that can be accessed either through the Internet or through an intranet. The primary function of a web server is to store, process and deliver web pages to clients. The communication between client and server takes place using the Hypertext Transfer Protocol (HTTP). The most common use of web servers is to host websites, but there are other uses such as gaming, data storage, running enterprise applications, handling email, FTP, etc.

Web Servers

Web development software is used to create websites for both the Internet and intranets. Software can be either locally installed or operated through a cloud interface, and ranges in complexity from simple text editors to full-fledged integrated development environments (IDEs) that include graphics, video, audio, scripting and database support.

Web Development Software

ColdFusion is a server-side rapid application development platform originally created by Allaire and now sold by Adobe, implementing the dynamic general purpose CFML programming language. The term ColdFusion is sometimes colloquially used to refer to the CFML language (Cold Fusion Markup Language), but can also include discussions of the server software implementation. ColdFusion runs using a customised version of Apache Tomcat. Earlier versions are bundled with JRun.