I hate to break it out to you, but -

我不想告诉你，但是——

1. XSS is an Output problem, notan Input problem. Filtering/Validating input is an additional layer of defence, but it can never protect you completely from XSS. Take a look at XSS cheatsheet by RSnake- there's just too many ways to escape a filter.
2. There is no easy way to fix a legacy application. You have to properly encode anything that you put in your html or javascript files, and that does mean revisiting every piece of code that generates html.

1. XSS 是输出问题，而不是输入问题。过滤/验证输入是额外的防御层，但它永远无法完全保护您免受 XSS 的侵害。看一看RSnake 的 XSS 备忘单——逃避过滤器的方法太多了。
2. 没有简单的方法来修复遗留应用程序。您必须正确编码放入 html 或 javascript 文件中的任何内容，这确实意味着重新访问生成 html 的每一段代码。

See OWASP's XSS prevention cheat sheetfor information on how to prevent XSS.

有关如何防止 XSS 的信息，请参阅OWASP 的 XSS 预防备忘单。

Traditionally, input validation has been the preferred approach for handling untrusted data. However, input validation is not a great solution for injection attacks. First, input validation is typically done when the data is received, before the destination is known. That means that we don't know which characters might be significant in the target interpreter. Second, and possibly even more importantly, applications must allow potentially harmful characters in. For example, should poor Mr. O'Malley be prevented from registering in the database simply because SQL considers ' a special character?

传统上，输入验证一直是处理不受信任数据的首选方法。然而，输入验证并不是注入攻击的一个很好的解决方案。首先，输入验证通常在收到数据时完成，然后才知道目的地。这意味着我们不知道目标解释器中哪些字符可能是重要的。其次，可能更重要的是，应用程序必须允许潜在的有害字符进入。例如，是否应该仅仅因为 SQL 认为 ' 是一个特殊字符就阻止可怜的 O'Malley 先生在数据库中注册？

To elaborate - when the user enters a string like O'Malley, you don't know whether you need that string in javascript, or in html or in some other language. If its in javascript, you have to render it as O\x27Malley, and if its in HTML, it should look like O'Malley. Which is why it is recommended that in your database the string should be stored exactly the way the user entered, and then you escape it appropriately according to the final destination of the string.

详细说明 - 当用户输入像 O'Malley 这样的字符串时，您不知道您是否需要在 javascript、html 或其他语言中使用该字符串。如果它在 javascript 中，你必须将它呈现为O\x27Malley，如果它在 HTML 中，它应该看起来像O'Malley. 这就是为什么建议在您的数据库中字符串应该完全按照用户输入的方式存储，然后根据字符串的最终目的地适当地转义它。

One thing you should look at is implementing an application firewall like Portcullis: http://www.codfusion.com/blog/page.cfm/projects/portculliswhich includes a much stronger system then the built in scriptProtect which is easily defeated.

您应该考虑的一件事是实现像 Portcullis 这样的应用程序防火墙：http: //www.codfusion.com/blog/page.cfm/projects/portcullis，其中包含一个比内置的 scriptProtect 更强大的系统，它很容易被击败。

These are a good starting point for preventing many attacks but for XSS you are going to end up going in by hand and verifying that you are using things like HTMLEditFormat()on any outputs that can be touched by the client side or client data to prevent outputting valid html/js code.

这些是防止许多攻击的良好起点，但对于 XSS，您最终将手动进入并验证您在客户端或客户端数据可以触及的任何输出上使用诸如HTMLEditFormat() 之类的东西 以防止输出有效的 html/js 代码。

Besides applying all the ColdFusion hot fixes and patches you can also:

除了应用所有 ColdFusion 热修复和补丁之外，您还可以：

1. Not full proof but helps, Set the following under CFADMIN > Settings > "Enable Global Script Protection"
2. Add CSRFToken to your forms http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
3. Check http Referer
4. Add validation for all User inputs
5. Use cfqueryparam for your queries
6. Add HTMLEditFormat() on any outputs
7. Besides Peter Freitag's excellent blog you should also subscribe to Jason Dean's http://www.12robots.com

1. 不是完全证明但有帮助，在 CFADMIN > 设置 >“启用全局脚本保护”下设置以下内容
2. 将 CSRFToken 添加到您的表单http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
3. 检查 http 引用
4. 为所有用户输入添加验证
5. 使用 cfqueryparam 进行查询
6. 在任何输出上添加 HTMLEditFormat()
7. 除了 Peter Freitag 的优秀博客，您还应该订阅 Jason Dean 的http://www.12robots.com

The ColdFusion 9 Livedocsdescribe a setting called "scriptProtect" which allows you to utilize coldfusion's protection. I've have not used it yet, so I'm not sure how effective it is.

该ColdFusion的9 LiveDocs中描述了一个名为“scriptProtect”设置允许您利用ColdFusion的保护。我还没有使用它，所以我不确定它的效果如何。

However, if you implement a third-party or your own method of handling it, you would most likely want to put it in the "onRequestStart" event of the application to allow it to handle the entire site when it comes to URL and FORM scope violations (because every request would execute that code).

但是，如果您实现第三方或您自己的处理方法，您很可能希望将它放在应用程序的“onRequestStart”事件中，以允许它在涉及 URL 和 FORM 范围时处理整个站点违规（因为每个请求都会执行该代码）。