Does IsValid() protect from XSS?
Does using IsValid() to validate an email address or a URL format protect from XSS? Does it negate XSS when other formats are specified?
A valid URL can still contain an attack vector:
<!--- No on CF9 ---> <cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123; DROP TABLE Products")#</cfoutput> <!--- Yes on CF9: hex encoded ';DROP TABLE Products' ---> <cfoutput>#isValid("url", "http://www.mydomain.com/products/products.asp?productid=123%3B%20%44%52%4F%50%20%54%41%42%4C%45%20%50%72%6F%64%75%63%74%73")#</cfoutput>
Granted the above is not an XSS attack, but it could be changed to instead update columns with an attack.
Email validation appears to prevent the attacks I could find.
As a generalization, isValid() helps prevent XSS attacks when the datatype is finite - integers, SSNs, UUIDs, etc.. however, there's a laundry list of documented potential attacks against fields whose only datatype per se is 'string'. In that case, isValid() is of no help, rather OWASP's AntiSamy is a useful tool for this purpose that traverses the DOM and removes anything not whitelisted.
Best regex to catch XSS (Cross-site Scripting) attack (in Java)? provides a lot of useful information on the general topic of XSS prevention.
And finally to belabor the point, use:
<cfqueryparam cfsqltype="..." value="...">
Last, but not least, OWASP XSS Cheat Sheet: best set of heuristics out there for processing input to prevent XSS.