Does anyone here have experience using the Acunetix Web Vulnerability Scanner? I happened to use it on my site to check for vulnerabilities and found about 15 HIGH level ones - all of them with basically the same problem: Cross Site Scripting and Cross Site Scripting in URI.
For every input on all of my pages, I use the <cfqueryparam> tag. Numbers are meant to be entered in most of the textfields on the site. Therefore, in addition to the <cfqueryparam cfsqltype = cf_sql_float> I also set a maxlength for every text field - usually about 9 characters. Text inputs where 'VARCHAR' type data is expected are also validated on the server side (in addition to the cfqueryparam tag).
Am I still vulnerable to XSS and SQL Injection? Do I need to filter meta-characters?