SetEncoding called in Application.cfm or Application.cfc disables global XSS protection (ColdFusion MX 7.02)
Issue
If you use the setEncoding function in the Application CFM or Application CFC, the "Enable Global Script Protection" functionality provided in the ColdFusion MX 7 Administrator does work.
Solution
Both ColdFusion MX 7 cumulative and individual hot fixes are installed in the ColdFusion Administrator. The installation process is the same for all platforms and installation choices.
Install the ColdFusion MX 7.0.2 hot fix.
- Download the hot fix (27k).
- Extract hf702-70749.jar from the hf702-70749.zip file.
- Open the ColdFusion Administrator and select the System Information page. Next to the Update File box, either:
-
- Type in the file path to hf702-70749.jar, and then click Submit.
OR
- Select the Browse button, and then browse to the hf702-70749.jar. Select the file, and then click Submit.
-
- Restart the ColdFusion Server.
You do not need to retain the ColdFusion MX 7 hot fix JAR file after installing it with the ColdFusion Administrator. This process copies the file to the correct location.
To verify the hot fix is being used, you should see the JAR file in the classpath when looking at the Settings Summary page. The ColdFusion MX 7 hot fix JAR file will appear as a new entry on the System Information page.
You can remove ColdFusion hot fix JAR files by stopping the ColdFusion MX 7 Application Server service and then deleting the respective JAR file from cf_root/lib/updates.
Additional Information
- "ColdFusion hot fixes (MX 7 and higher)" (TechNote tn_17833)
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
