Protecting html user login with coldfusion

Question

Protecting html user login with coldfusion

When a user views a page, do I add? q = [searchterm] in your url and outputting something like this:

Your search result for <CFOUTPUT>#htmleditformat(URL.q)#</CFOUTPUT>:

Some time ago I read that htmleditformat() not enough, and XSS can still be executed (... for example, if someone sends a link to the victim, for example http://example.com/?q= [evilXSS]).

I also save URL.q in the database (in this case I use ORM):

 <CFSET myobject.setKeyword(URL.q) />

but at the moment I'm interested in how to safely display user data in a browser.

+4

html coldfusion xss user-input

Seybsen Dec 11 '11 at 17:49

source share

1 answer

Barry jordan · Accepted Answer · 2011-12-11T18:05:34+0000

You can also use xmlFormat() , described here . It skips more characters than htmlEditFormat() , such as single-quote marks and high ASCII characters in the range 159-255.

If you want more control, you can directly use Javas StringEscapeUtils .

Protecting html user login with coldfusion

More articles: