And the string "invalidTag" is defined in the neo-security.xml as well as the regex pattern used to check for scripting hacks.

<code>
<var name="CrossSiteScriptPatterns">
<struct type="coldfusion.server.ConfigMap">
<var name="&lt;\s*(object|embed|script|applet|meta)">
<string>&lt;InvalidTag</string>
</var>
</struct>
</var>
</code>

theres currently a secunia vulnerability listed for the cross site scripting feature as well. It was entered on 12 Dec 06 and is said to allow you to get around the feature.

http://secunia.com/advisori...

Might this be what the latest hotfix (2006-11-30) fixes?
"64586 Hot fix to resolve a possible cross-site scripting (XSS) vulnerability in ColdFusion's handling of forms."
http://www.adobe.com/cfusio...

Ray,
Thanks for the post, I've been having this issue on my codeShare site (http://codeshare.everfro.com, shameless plug). When users submit code with JS in it the script tag gets replaced with InvalidTag. Hopefully this will help me with my issue.

Ryan

Thanks for the post, it helped me to resolve the <InvalidTag issue that I faced.

Is there any way to get around this? I am working on a site that is on a shared server, and they have enabled it in the cf administrator (and won't allow it to be overridden in Application.cfc). The client needs to be able to embed flash and object files, as well as edit meta tags, but those are all rendered "invalid".

What do they mean they won't allow you? They will kick you off the server? Nothing in CF prevents you from turning it off in App.cfc.

Unfortunately I think you are out of luck. I'd change hosts.

Hi guys - I have a workaround for the problem you're mentioning.

<a href="http://www.beetrootstreet.c...">http://www.beetrootstreet.c...

It basically uses onRequestEnd.cfm to re-write the SCRIPT tags. It can also be adapted to work in an Application.cfc environment.

Hope it helps.

Martin

Seems the URL didn't insert properly. Try again..

http://www.beetrootstreet.c...

Martin

for some reason disabling it in the application.cfm doesn't work, you have to disable it in the cfadmin.

I believe you are wrong Russ. The CFAPP can always overrule the CF Admin. I'd check again.

My blogcfc has and always has had scriptrotect="none" in the cfapplication, it makes no difference, only disabling script protection in the cfadmin solves the problem. I will humor your telling me to check again and post the code here for you.

<cfapplication name="#prefix#_blog_#blogname#" sessionManagement="true" loginStorage="session" scriptprotect="none">

Is caching turned on in the CF Admin? I mean trusted cache.

Thank you Thank you. I was stumped where this was coming from.

Ray,
I've run into the same issue that Russ did. Going to do some further testing, but with global script protect on the override in the cfapplication doesn't seem to get picked up or its not allowed. A little odd. I believe blogCFC comes out of the box that way. I've cleared the template cache just to be sure but the issue persists.

That seems odd. I've never seen the template get overridden by the server setting before. Please let me know what you find.

Hi Raymond.

I have the same problem with this page http://www.4sixsix.nl/page....
See the source of this page. I have put scriptprotect="false" in the application file but nothing happen.
I have e-mail the support desk of hostek.com to see if there is something changed on the server.
This happend after an update of this page last week. Before that the youtube movies are show correct on the page ?

Sorry for the delay. Not sure what to tell you. Can you show me the code (ie, where you put in script protect). Also check to ensure your host doesn't have trusted cache turned on.

Maybe help some folks who have been having trouble...

Depending on your version, the string "False" may NOT equivalent to the boolean operator False. The string "No", however, IS equivalent.

Trying writing:
scriptProtect = false

OR:
scriptProtect = "No"

Do not write:
scriptProtect = "false"

That might solve some of the problems for some of the people out there.

I'd like to have the script protection on, but it messes up the HTML Editor in the CMS for my site. Any recommendations?

Since you can only turn it off and on at the Application or server level, you are out of luck. You would need to do the protection manually.

Ah - I thought so. I don't suppose you have a handy 'how-to' posted somewhere do you? :-) Thanks.

Perhaps: http://portcullis.riaforge....

Raymond, Thanks as always for your posts! Years later they are still helping folks out there like me!

Glad to help!

In case anyone else may come across this in the future, the URL that was attempted to be shared above got botched. And then the beetrootstreet blog is no longer is working (as I checked it), but I found the post with his interesting solution here via the good ol' "internet wayback machine" (archive.org), here:

http://web.archive.org/web/...

I haven't tried the code, but I can confirm that like others above (even on CF2018), I could not seem to get the scriptprotect="none" (in application.cfm or cfc) to override the global Admin scriptprotect setting. Would love to find that better solution (or for Adobe to fix this). But until then perhaps the code in the blog post above may help someone (I just turned off the global scriptprotect, as I have FuseGuard and other WAFs protecting me).

Thanks for the update Charlie.