Quote:
Originally Posted by twalters84
What do you mean exactly when you say the first thing you do is validate the URL?
Does this mean you have some script check for
"http://www." + DOMAIN + TOP LEVEL DOMAIN EXTENSION
|
Pretty much, but you also have to account for different protocols [http/https] and sub domain's.
[protocol]://[subdomain].[domain].[extension] and each part of the URL has only specific letters that can be used. I know JavaScript can validate it using regular expressions [don't ask me the specific regex, because I have no clue] and I'm sure Coldfusion has regex too. If you are really paranoid, you can try to establish a connection to the specified URL [maybe using cURL library] to make sure that the URL actually exists, not just in the proper format.
And I have read Chris Shiflett's article before, but I haven't done much research on the information in that article, so I can't say any thing for certain about it. But according to that article, and other sources I have read, setting your character encoding in the meta tags only allows that encoding to be used on the page. So in theory it should prevent any UTF-7 attacks.