ivanionut · August 29, 2015 14:16
diff --git a/ScopeInjectionProtection.cfm b/ScopeInjectionProtection.cfm
 <!--- Sample ColdFusion 9+ script to prevent Fallback Scope Injection. URL & Form variables are universally accessible in the scope & used as fallback.
 Based on insights provided by Peter Freitag's blog post http://www.petefreitag.com/item/834.cfm --->
 <cfscript>
 Scopes = "arguments,local,thread,variables,cgi,cookie,client,request,application,session,server,caller,thistag,this";
 for (thisField in Form) {
 	if (ListLen(thisField,".") GT 1 AND ListFindNocase(Scopes, trim(ListFirst(ThisField,".")))){
 		StructDelete(Form, thisField);
 		if (ListFindnocase(Form.Fieldnames, ThisField)){
 			Form.Fieldnames = ListDeleteAt(Form.Fieldnames, ListFindnocase(Form.Fieldnames, ThisField));
 		}
 	}
 }
 for (thisField in URL) {
 	if (ListLen(thisField,".") GT 1 AND ListFindNocase(Scopes, trim(ListFirst(ThisField,".")))){
 		StructDelete(URL, thisField);
 	}
 }
 </cfscript>
	<!--- Sample ColdFusion 9+ script to prevent Fallback Scope Injection. URL & Form variables are universally accessible in the scope & used as fallback.
	Based on insights provided by Peter Freitag's blog post http://www.petefreitag.com/item/834.cfm --->
	<cfscript>
	Scopes = "arguments,local,thread,variables,cgi,cookie,client,request,application,session,server,caller,thistag,this";
	for (thisField in Form) {
	if (ListLen(thisField,".") GT 1 AND ListFindNocase(Scopes, trim(ListFirst(ThisField,".")))){
	StructDelete(Form, thisField);
	if (ListFindnocase(Form.Fieldnames, ThisField)){
	Form.Fieldnames = ListDeleteAt(Form.Fieldnames, ListFindnocase(Form.Fieldnames, ThisField));
	}
	}
	}
	for (thisField in URL) {
	if (ListLen(thisField,".") GT 1 AND ListFindNocase(Scopes, trim(ListFirst(ThisField,".")))){
	StructDelete(URL, thisField);
	}
	}
	</cfscript>