How do I get around global script protection in my CMS?

Question

We have global script protection enabled on our CF server. I am the admin with full rights. The tags it scans for and replaces with "invalidTag" are these, which are located in the neo-security.xml file:

However, we ocassionally introduce these tags into pages controlled by our CMS, which of course go into a database. When that happens the tags are replaced with "invalidTag".

I want and need script protection enabled to prevent against hackers, but I also want to be able to add these tags to our local CMS. What is the best way around this? Right now, I actually had to remove "object" and "embed" from the list it scans against, but I feel like this defeats the purpose.

When I Googled this issue I saw a couple of hacks that had something to do with re-writing the tag after it was sent into the database, but that seems kind of polish to me. I'm wondering if I'm missing some simple trick to get around this. But then I guess if I could, a hacker could.

Thanks for any advice.

BKBK · Accepted Answer

Thanks for clearing that up. I think you said it succinctly yourself: 'I actually had to remove "object" and "embed" from the list it scans against, but I feel like this defeats the purpose'. I think it's a matter of weighing the risks and the benefits, and then making a choice.

BKBK · Answer

You may of course use those tags in your CMS! Script protection only means you shouldn't pass the tags as part of a CGI, COOKIE, FORM or URL variable.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded