RE: Prevent Cross Site scripting

Fri, 18 Apr 2008 12:33:50 -0700 

I'm not sure if you're directing that question at Dave or me, so I will
clarify my recommendation just in case.

==============================
Any time you embed text which a user/third party enters or has control
over into another media, ensure that the potentially-unsafe text has any
necessary meta-characters escaped.
==============================

That means if you want to output a name from the database into a
JavaScript variable, you should run it through jsstringformat to remove
any single ticks etc.

var users_name = '#jsstringformat(my_query.users_name)#';

If you are building an XML document out of user-entered form fields, use
xmlformat.

<root><employee>#xmlformat(form.name)#</employee></root>

If you are outputting a message in an HTML page, use htmleditformat.

<table>
        <tr>
                <td>
                        #htmleditformat(qry_message.message_text)#
                </td>
        </tr>
</table>

Any time you are evaluating a string as code like as in a JSON string
returned from an external web service, use a JSON parser instead of just
throwing it into an eval() function.

I know those are all generic examples, but I don't think there is
necessarily a "silver bullet" snippet of code you can paste at the top
of your page that will catch everything.  In theory, if ALL data were
properly escaped/sanitized according to the environment it was being
embedded in, XSS attacks would not exist.  In my opinion, _most_ XSS
attacks happen because programmers get lazy-- a sin I've certainly been
guilty of myself.

~Brad

-----Original Message-----
From: Ian Rutherford [mailto:[EMAIL PROTECTED] 
Sent: Friday, April 18, 2008 2:06 PM
To: CF-Talk
Subject: Re: Prevent Cross Site scripting

So what do you recommend instead? The built in xxs protection doesn't
catch everything. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303773
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to