cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

How do I get around global script protection in my CMS?

DCwebGuy
Contributor ,
Mar 30, 2012 Mar 30, 2012

We have global script protection enabled on our CF server.  I am the admin with full rights.  The tags it scans for and replaces with "invalidTag" are these, which are located in the neo-security.xml file:

     object|iframe|embed|xss|script|javascript|applet|meta

However, we ocassionally introduce these tags into pages controlled by our CMS, which of course go into a database.  When that happens the tags are replaced with "invalidTag".

I want and need script protection enabled to prevent against hackers, but I also want to be able to add these tags to our local CMS.  What is the best way around this?  Right now, I actually had to remove "object" and "embed" from the list it scans against, but I feel like this defeats the purpose.

When I Googled this issue I saw a couple of hacks that had something to do with re-writing the tag after it was sent into the database, but that seems kind of polish to me.  I'm wondering if I'm missing some simple trick to get around this.  But then I guess if I could, a hacker could.

Thanks for any advice.

966
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

BKBK Community Expert
Community Expert , Mar 30, 2012 Mar 30, 2012

Thanks for clearing that up. I think you said it succinctly yourself: 'I actually had to remove "object" and "embed" from the list it scans against, but I feel like this defeats the purpose'. I think it's a matter of weighing the risks and the benefits, and then making a choice.

Translate
replies 3 Replies 3
latest latest Jump to latest reply
BKBK Community Expert
Community Expert ,
Mar 30, 2012 Mar 30, 2012

You may of course use those tags in your CMS! Script protection only means you shouldn't pass the tags as part of a CGI, COOKIE, FORM or URL variable.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
DCwebGuy
Contributor ,
Mar 30, 2012 Mar 30, 2012
In Response To BKBK

My CMS is submitting through forms, so that's why the tags are being caught.  I'm taking about using those tags inside the content that's being submitted by the CMS.  I'm not taking about the code that actually runs the CMS.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Mar 30, 2012 Mar 30, 2012
LATEST
In Response To DCwebGuy

Thanks for clearing that up. I think you said it succinctly yourself: 'I actually had to remove "object" and "embed" from the list it scans against, but I feel like this defeats the purpose'. I think it's a matter of weighing the risks and the benefits, and then making a choice.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices