Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I get robust XSS protection in CF11 that I can apply to an entire site without touching every query or input?

So I'm currently using CF11 and CFWheels 1.1, the "Global Script Protection"(GSP) server feature does an awful job of covering the XSS bases. I would like to extend it to block any and all tags/vectors for JS from being inserted into the database.

CF11 offers antiSamy protection via the getSafeHTML() function which applies a xml policy file specified in application.cfc but I would still need to modify every single varchar cfqueryparam in the application to use it right?

Is there a way to get CF11 to enable the antisamy features server or application wide in a similar way that the GSP feature works? What I mean by this is GSP automatically strips tags out of input submitted to the app without having to modify all the queries/form actions. I'd like a way to apply the antisamy policy file or getSafeHTML() in the same way.

Thanks!

like image 644
gnarbarian Avatar asked Dec 25 '22 04:12

gnarbarian


1 Answers

Why would you have to apply it to every one? You would only need to do it for string (varchar) inputs and only when inserting. And even then, you wouldn't use it everywhere. For example, if you ask for my name and bio, there is no reason why you would want html, even "good" html, in my name. So I'm sure you already use something there to escape all html or simply remove it all. Only for a field like bio would you use getSafeHTML.

Validation is work. You (typically) don't want a "all at once" solution imo. Just bite the bullet and do it.

If you did want to do it, you can use onRequestStart to automatically process all keys in the form and url scope. This is written by memory so it may have typos, but here is an example:

function onRequestStart(string req) {
    for(var key in form) { form[key] = getSafeHTML(form[key]); }
    for(var key in url) { url[key] = getSafeHTML(url[key]); }
}
like image 75
Raymond Camden Avatar answered Jan 23 '23 15:01

Raymond Camden