Cleansing line / input in Coldfusion 9

Question

Cleansing line / input in Coldfusion 9

Recently, I have been working with Coldfusion 9 (mainly in PHP), and I am scratching my head trying to figure out how to "clear / clean" the input / line that the user sent.

I want to make it HTMLSAFE, exclude any javascript or SQL query, plain. I hope I missed out on some feature that already comes with CF9.

Can someone point me in the right direction?

+4

coldfusion coldfusion-9 data-cleansing

Jakub Jan 10 '11 at 20:20

source share

4 answers

Well, for SQL injection you want to use CFQUERYPARAM .

Regarding input disinfection for XSS and the like, you can use the ScriptProtect attribute in CFAPPLICATION , although I heard that doesn’t work flawlessly. You can look at Portcullis or similar third-party CFCs for better script protection if you prefer.

+7

Kyle humfeld Jan 10 '11 at 20:32

source share

You have several options:

"Global Script Protection" An administrator setting that applies a regular expression to post and get variables (i.e. FORM and URL) to cut out <script/> , <img/> and several other tags
Use isValid () to check data types of variables ( see my detailed answer to this .
< cfqueryparam / ">, which is used to create SQL binding parameters and to check the data type passed to it,

It has been noted that if you are really trying to disorient HTML, use Java, which ColdFusion can access initially. In particular, use the OWASP AntiSamy Project , which takes an HTML snippet and assigns white values to which values can be part of it. This is the same approach as sites like SO and slashdot.org to protect views and a safer approach to accepting markup content.

+1

orangepips Jan 10 '11 at 20:39

source share

String sanitation in coldfusion and any other language is very important and depends on what you want to do with the string. most mitigations for

storing content in a database (e.g. <cfqueryparam ...> )
using the content to display on the next page (for example, put the url parameter in the link or show the url parameter in the text)
saving files and using files and contents of uploaded files

There is always a risk if you follow the idea of preventing and cutting the string, resolving basically everything in the first step, and then remove the malicious code “away” by deleting or replacing the characters (black list). The best solution is to replace the rereplace(...) lines with regular expressions, which explicitly allow you to use only the characters needed for the script, which you use as a simple solution when possible. cases of entering numbers, lists, email addresses, URLs, names, zip codes, cities, etc. are used.

For example, if you want to specify an email address, you can use

 <cfif reFindNoCase("^[A-Z0-9._%+-] +@ [A-Z0-9.-]+\.(?:[AZ]{5})$", stringtosanitize)>...ok, clean...<cfelse>...not ok...</cfif>

(or your own regular expression). For HTML-Imput or CSS-Imput, I would also recommend the OWASP Java HTML Sanitizer Project .

0

Raffael meier Mar 12 '18 at 22:32

source share

Stephen moretti · Accepted Answer · 2011-01-10T20:47:50+0000

This addition to Kyle's suggestions is not an alternative answer, but the comment panel is a bit of garbage for links.

Take a look at the ColdFusion string functions . You have HTMLCodeFormat, HTMLEditFormat, JSStringFormat and URLEncodedFormat. All this can help you with the content posted on the form.

You can also try using regular expression functions to remove HTML tags, but this is never an exact science. This ColdFusion-based regex / html question should help a bit.

You can also try to protect yourself from bots and famous spammers by using something like cfformprotect , which combines Project Honeypot and Akismet protection among other tools in your forms.

Cleansing line / input in Coldfusion 9

More articles: