Re: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS
Hi Brook, I think it would be difficult to get AntiSamy to ignore the google analytics script, and not other scripts. You can pass regex into Anitsamy for attribute validation, but I don't think you can match a global pattern in the policy file. I think the best approach in your situation is to strip out the analytics code before sending it to AntiSamy for validation as you suggested. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, May 19, 2011 at 11:44 PM, Brook Davies cft...@logiforms.com wrote: Hi Andrew, But consider a CMS or 'landing page creator' that allows users to create their own landing pages - and insert their own google analytics code. So I would need to be able to tell antiSamy that I want to allow a specific script... A google search didn't turn up anything. I guess I could use a regex to find it, strip it out, then run AntiSammy, then put the GA code back in... Brook -Original Message- From: Andrew Scott [mailto:andr...@andyscott.id.au] Sent: May-19-11 4:56 PM To: cf-talk Subject: RE: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS Anti Samy is brilliant, the way this is used is as a HTML string cleaner. What that means is that you define which configuration type you want, there are predefined configs like Slashdot to name but one. These configs are fully configurable to the HTML Elements. SlashDot config is what SlashDot itself uses to clean any user input from their site, that contains HTML inputs. Now as for your question, it doesn't clean the HTML that is first being server or generated by your Application. It cleans any text or string input, by passing it through the library, and then getting back a sanitized version that you can then do with. So that means your GA will still work because that came from the page itself, and you would not want to use GA in what people enter in your text boxes and text areas. Hope that helps. Regards, Andrew Scott http://www.andyscott.id.au/ -Original Message- From: Brook Davies [mailto:cft...@logiforms.com] Sent: Friday, 20 May 2011 1:09 AM To: cf-talk Subject: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS Hi Guys, I'm currently using the safeText UDF (http://www.cflib.org/udf.cfm/safetext) to clean user submitted content, both HTML fragments and full HTML documents. Based on some reading over at http://www.petefreitag.com/item/760.cfm , I am considering using AntiSammy instead. What I want to know is: 1. What are your experiences with this? 2. I need to be able to allow explicitly allow some script tags - like the google analytics code. Is this possible with AntiSammy? 3. I'm gonna test this some more on my end, but I am guessing that there would be substantially more overhead in instaniating and invoking the antiSpammy java classes and scanning 100 elements than there would calling an application scoped UDF method. Does that sound right? I'm gonna (time permitting) test this today. Just thought I would post this (maybe someone who's not knee deep in 'ColdFusion and Ajax Choices' nonsense) and see if anyone had any experience with it before I jump in.. Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344751 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS
Anti Samy is brilliant, the way this is used is as a HTML string cleaner. What that means is that you define which configuration type you want, there are predefined configs like Slashdot to name but one. These configs are fully configurable to the HTML Elements. SlashDot config is what SlashDot itself uses to clean any user input from their site, that contains HTML inputs. Now as for your question, it doesn't clean the HTML that is first being server or generated by your Application. It cleans any text or string input, by passing it through the library, and then getting back a sanitized version that you can then do with. So that means your GA will still work because that came from the page itself, and you would not want to use GA in what people enter in your text boxes and text areas. Hope that helps. Regards, Andrew Scott http://www.andyscott.id.au/ -Original Message- From: Brook Davies [mailto:cft...@logiforms.com] Sent: Friday, 20 May 2011 1:09 AM To: cf-talk Subject: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS Hi Guys, I'm currently using the safeText UDF (http://www.cflib.org/udf.cfm/safetext) to clean user submitted content, both HTML fragments and full HTML documents. Based on some reading over at http://www.petefreitag.com/item/760.cfm , I am considering using AntiSammy instead. What I want to know is: 1. What are your experiences with this? 2. I need to be able to allow explicitly allow some script tags - like the google analytics code. Is this possible with AntiSammy? 3. I'm gonna test this some more on my end, but I am guessing that there would be substantially more overhead in instaniating and invoking the antiSpammy java classes and scanning 100 elements than there would calling an application scoped UDF method. Does that sound right? I'm gonna (time permitting) test this today. Just thought I would post this (maybe someone who's not knee deep in 'ColdFusion and Ajax Choices' nonsense) and see if anyone had any experience with it before I jump in.. Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344728 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS
Hi Andrew, But consider a CMS or 'landing page creator' that allows users to create their own landing pages - and insert their own google analytics code. So I would need to be able to tell antiSamy that I want to allow a specific script... A google search didn't turn up anything. I guess I could use a regex to find it, strip it out, then run AntiSammy, then put the GA code back in... Brook -Original Message- From: Andrew Scott [mailto:andr...@andyscott.id.au] Sent: May-19-11 4:56 PM To: cf-talk Subject: RE: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS Anti Samy is brilliant, the way this is used is as a HTML string cleaner. What that means is that you define which configuration type you want, there are predefined configs like Slashdot to name but one. These configs are fully configurable to the HTML Elements. SlashDot config is what SlashDot itself uses to clean any user input from their site, that contains HTML inputs. Now as for your question, it doesn't clean the HTML that is first being server or generated by your Application. It cleans any text or string input, by passing it through the library, and then getting back a sanitized version that you can then do with. So that means your GA will still work because that came from the page itself, and you would not want to use GA in what people enter in your text boxes and text areas. Hope that helps. Regards, Andrew Scott http://www.andyscott.id.au/ -Original Message- From: Brook Davies [mailto:cft...@logiforms.com] Sent: Friday, 20 May 2011 1:09 AM To: cf-talk Subject: AntiSpammy vs http://www.cflib.org/udf.cfm/safetext for preventing XSS Hi Guys, I'm currently using the safeText UDF (http://www.cflib.org/udf.cfm/safetext) to clean user submitted content, both HTML fragments and full HTML documents. Based on some reading over at http://www.petefreitag.com/item/760.cfm , I am considering using AntiSammy instead. What I want to know is: 1. What are your experiences with this? 2. I need to be able to allow explicitly allow some script tags - like the google analytics code. Is this possible with AntiSammy? 3. I'm gonna test this some more on my end, but I am guessing that there would be substantially more overhead in instaniating and invoking the antiSpammy java classes and scanning 100 elements than there would calling an application scoped UDF method. Does that sound right? I'm gonna (time permitting) test this today. Just thought I would post this (maybe someone who's not knee deep in 'ColdFusion and Ajax Choices' nonsense) and see if anyone had any experience with it before I jump in.. Brook ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344735 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm