Hi Nick, It is tricky to handle HTML content while avoiding XSS, there are a two tools I'm aware of that can help you here:
1) scrubHTML() - This is one I built in pure CFML and I think it is pretty easy to build a whitelist of allowed html using it: https://github.com/foundeo/cfml-security it will use your whitelist and only allow HTML tags and attributes that you allow to come out the other end, anything not matching the whitelist is removed. 2) AntiSamy - written in java, widely used, but its policy files can be tricky to work with, example using it with CFML: http://www.petefreitag.com/item/760.cfm -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Wed, Feb 19, 2014 at 11:08 PM, Nick Gleason <n.glea...@citysoft.com>wrote: > > Hi All, > I'm very interested in your feedback on best practices when 1) trying to > mitigate risk of XSS and other hacks while 2) providing CMS functionality > that includes a web editor that clients use to publish web pages. > For example, there are many tags like <style>, <iframe>, and <embed> that > are considered risks by OWASP and others but are also typically needed by > CMS users to create web pages, embed youtube videos, and the like. > We're thinking through how to manage the trade offs so that we protect > clients but don't frustrate them in making their web pages. > I'd love to know how others are managing these issues effectively. Our > users who are creating web pages with an editor (FCKeditor) are generally > working behind a login as administrators, so there is that login security - > not anyone can use the editor to create a web page. But, we have generally > had a lot more security than that. > I'm assuming that there are users of Mura, Farcry and other CMS's on this > list and I'd love to know how you have addressed these risks. > Thanks in advance! > Nick > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357715 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
