Hi Dennis, Take a look at AntiSamy for Java, it will sanitize HTML based on rules you specify. Also take a look at OWASP ESAPI for Java, which has encoder methods you can use when you output variables on your page to prevent XSS (ESAPI has support for using AntiSamy as well). I covered this at my cfunited presentation "Writing Secure CFML", I will be posting slides for that on my blog hopefully later today.
-- Pete Freitag http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Jul 28, 2010 at 12:09 AM, UXB Internet <denn...@uxbinternet.com> wrote: > > I am wondering if anyone has a UBBCode to Html conversion for the [IMG} tag > that will sanitize the input to prevent XSS vulnerabilities such as adding > script to the <img> tag. I am trying to prevent XSS like below and worse. I > have a CF based forum I inherited and the UBB > HTML conversion for the > [img] tag is simplistic and needs replacing. I would rather not reinvent > the wheel if I don't have to especially since this is a favor for someone. > Any help is appreciated. > > [img]http://www.uxb.net/images/small-logo.gif " > onLoad="alert(String.fromCharCode(88,83,83))[/img] > > [img]fake.png" onerror="alert(String.fromCharCode(88,83,83))[/img] > > > > > Dennis Powers > UXB Internet - A Website Design & Hosting Company > P.O. Box 6028 > Wolcott, CT 06716 > 203-879-2844 > http://www.uxbinternet.com > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335985 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
