thanks, I'm interested in this topic, especially if it covers how to prevent this sort of thing in CF.

Ray,

Thanks for the pointer. I see a good opportunity for an open source app that would utilize some of the searches he performed in the article and give a simply security report for all the websites under one's control. Automated testing = good!

Perhaps, I'll start one in December (when school's out) =).

I'm not sure I agree with point 9. the guy tells you to remove comments from your live code in case you use google code.

seriously, who in the world removes their comments from their code before deploying?

tof-

When I read that, I was thinking more along the lines of "comment in the server side language you are using so it doesn't show up" rather than "remove all your comments"

But, he mentions things like "todo" and "fixme." I would hope every developer removes those before it goes into production - or else, it doesn't seem like it should be in production (or rather, if it no longer needs to be done or fixed, why keep the comment as clutter?)

tof: Sam has it right, the TODO and FIXME could reveal problems. And while you say CF strips all comments - what if an error occurs and you forgot to turn off robust exception handling? Than you can potentially see the comments.

Ray,

In that case, I'd be more worried about them seeing the code than the comments I think. I mean, <!--- to do: fix this error ---> to me, is far less worrisome than <cfif form.password is "knockknock"> ... let them in </cfif>

...

But, I may very well be overlooking something.

Oh no - you are right - I think the idea was you MAY think comments are harmless, and they certainly COULD end up being harmful if you aren't careful.

I still think it's overkill, and not worth being in a "top 10 security issues". but that's just me.