Avatar of Eric Bourland
Eric Bourland
Flag for United States of America asked on

question about HTMLEditFormat()

I'm concerned about XSS attacks. I did some reading about, and have tried to implement, the  HTMLEditFormat() function.

However, when I use HTMLEditFormat() in a form input, or in a CFOUTPUT, the output on the page is the raw HTML code.

For example, if I do this:

<cfquery name="UpdatePage" datasource="#ds#">
				  UPDATE tbl_acct_navigation
				  SET
                    PageTitle = <cfqueryparam cfsqltype="cf_sql_varchar"  value="#HTMLEditFormat(form.PageTitle)#">,   
                    PageContentLeft = <cfqueryparam cfsqltype="cf_sql_varchar"  value="#HTMLEditFormat(form.PageContentLeft)#">,
                    PageContentRight = <cfqueryparam cfsqltype="cf_sql_varchar"  value="#HTMLEditFormat(form.PageContentRight)#">,
                    DateModified = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">
				  WHERE PageID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.PageID)#">
			</cfquery>

Open in new window

.... then the page output displays the HTML code; the HTML is not parsed by the browser. You can see it here:

http://www.coalcountryteam.org/index.cfm?PageID=76

Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?

Sorry to be asking so many questions of late. =) I really appreciate people's time.

Eric B
ColdFusion Language

Avatar of undefined
Last Comment
gdemaria

8/22/2022 - Mon
SOLUTION
gdemaria

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
gdemaria

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
gdemaria

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Eric Bourland

ASKER
Darn. I just typed a careful reply here, and lost it when I tried to include a screencast. ~sigh~

gdemaria it is good to hear from you.

I want to include almost all HTML. I use the TinyMCE editor to allow this client to enter content and update her web pages. I also need to use a wide range of HTML tags, so I don't want to block any valid HTML tags.

I would like to block stuff like <script>/remotehost/terriblescript.js</script>

So I don't know if the HTMLEditFormat function is what I need. The Nadel article was great -- I like his blog a lot -- but Nadel mentions that developers need to be careful about escaping necessary HTML. (There are also some interesting notes about the vulnerabilities of scriptProtect. I have disabled scriptProtect in application.cfc, so that my client can embed video and slideshows using EMBED and OBJECT tags. Yet I wonder if in doing so I have made my application more vulnerable.)

So, I have been reading about XSS vulnerabilities, and I want to secure my application against them as much as I can; however, I don't know if HTMLEditFormat is what I need.

HTMLEditFormat makes my test page display HTML code -- which makes sense, given the way that I have used it.

Is HTMLEditFormat the right solution for this task? Is there a better way to block:

<script>/remotehost/terriblescript.js</script>

Thank you again. Hope you are well.

Eric
SOLUTION
Coast Line

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
gdemaria

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Brijesh Chauhan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Brijesh Chauhan

gdemaria


Brijesh, do you actually read anything before making your posts?  

The author wants to have HTML in this post so cannot use HTMLeditFormat(), script protection and cannot strip out all HTML as your links states.

Eric, you need to selectively remove the tags that you don't want as I showed in my post

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Eric Bourland

ASKER
brijeshchauhan, myselfrandhawa, and gdemaria,

I have a lot to think about, and much more reading and research to do.

I have indeed enabled Global Script Protection in ColdFusion Administrator.

However, in my application.cfc file, I disabled Global Script Protection using:

  <cfset this.scriptProtect = "No">

Why did I do that? Because Script Protection did not let me use EMBED and OBJECT tags, which are required when one wants to embed media from Flickr or Picasa. This feature is very important to this particular client.

This does make me a little nervous. Even though the administrative interface is inside a password protected folder, I don't like to have scriptProtect disabled without using some other kind of protection against XSS.

I will try gdemaria's script; I will also do some more reading as suggested by brijeshchauhan. I really appreciate everybody's very helpful comments. I will get back here later today. Hope you are all having a great day.

Eric
Brijesh Chauhan

The author has mentioned this...

Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?

So just had him show on it...

Anyways, if the post is not useful, then it can be ignored.. it's up to the author..
Eric Bourland

ASKER
brij, I always appreciate your input.

I post many questions in this ColdFusion forum -- and I always get many very helpful replies. I have an abiding gratitude for everybody here.

I'm also aware that I need to contribute more, myself, in areas in which I have more experience: CSS, for example, and support for PC and Macintosh hardware and software.

Thank you for your help. =) I'm going to try gdemaria's Regular Expression Replace idea:

<cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>", "", "all")>

... and see what happens. I have read your replies carefully and I really appreciate your time.

Eric
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Coast Line

@ eric, Its all Upon your requirements what exactly you want to try!

My Suggestion will be use all the inputs provided by us and implemented it!

My, Brij, gd all of us have provided you different approaches so i think you can create a combination of all three and that can help you a lot in making ur application secure!

if you want to know more about the stopping of attacks! just read the below:

http://www.coldfusioncookbook.com/entry/36/How-can-I-prevent-SQL-injection-attacks?
Brijesh Chauhan

Eric, there is also one project called antisamy based on Java which can be used for protecting website against XSS attacks.. it's open source and can be downloaded from

http://code.google.com/p/owaspantisamy/downloads/list

and it's implementation is blogged in the following post

http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks

You can give it a try...

SOLUTION
SRIKANTH MADISHETTI

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
gdemaria

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Eric Bourland

ASKER
I'm working with gdemaria's idea to use <cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>", "", "all")>

I implemented that code in my edit page -- the page in which the user updates database records. I use this code, below:

 <!--- set up protection against XSS  --->

<cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
<cfset form.PageContentLeft) = ReReplaceNoCase (form.PageContentLeft), "<script.*?>.*?</script>", "", "all")>
<cfset form.PageContentRight) = ReReplaceNoCase (form.PageContentRight), "<script.*?>.*?</script>", "", "all")>

Open in new window


and I get an error, which I note below.

srikanthmadis, I saw the Portcullis application and it looks very useful -- and that is something I am going to check out further.

brij and myselfrandhawa -- I am going to follow up separately about the excellent resources that you have recommended. I do think that HTMLeditFormat() is not the right solution for this particular problem but I do see that it is very useful in other solutions. I really appreciate your help.

Per gdemaria's notes I am going to first try to get <cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>", "", "all")>
to work. That looks like a very useful solution for this particular problem.

Thanks again to all.

E
error text:

Error Occurred While Processing Request  
Invalid CFML construct found on line 14 at column 22.  
ColdFusion was looking at the following text:<p>)</p><p>The CFML compiler was processing:<ul><li>A cfset tag beginning on line 14, column 2.</ul>  
  
The error occurred in C:/websites/www.coalcountryteam.org/admin/editPages.cfm: line 14
 
12 : 
13 :  <!--- set up protection against XSS scripts --->
14 : <cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
15 : <cfset form.PageContentLeft) = ReReplaceNoCase (form.PageContentLeft), "<script.*?>.*?</script>", "", "all")>
16 : <cfset form.PageContentRight) = ReReplaceNoCase (form.PageContentRight), "<script.*?>.*?</script>", "", "all")>

Open in new window

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Eric Bourland

ASKER
I might need to provide more information about the edit page -- it's simple. I use a CFINPUT tag to update PageTitle:

<p><strong>Page Title:</strong>
  	 <cfinput
     		type="Text"
			name="PageTitle"
			value="#Trim(form.PageTitle)#"
            message="Please enter a Document Title."
            required="Yes"
            validateAt="onSubmit,onServer" 
			size="50"
			maxlength="255"></p>

Open in new window


And I use a textarea input field to update Page Content for the left and right sides of the page; example:

 <textarea name="PageContentLeft"
   			width="770"
			height="800"
            style="width:770px;height:800px;" wrap="virtual">
 
            <cfoutput>#form.PageContentLeft#</cfoutput>
   
			</textarea>

Open in new window


I implement the TinyMCE javascript editor to apply a WYSIWYG interface to the textarea, for the convenience of the end user.

SOLUTION
gdemaria

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SRIKANTH MADISHETTI

Eric ,

You can see the function filterTags in portcullis.cfc

Coast Line

@ all

I have heard a lot of portcullies, never used, But i will try it NOw

Thx
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Coast Line

One addition to make, Check this article by SIDFISH' a Cf Community GURU

http://sidfishes.wordpress.com/2009/03/17/60/
SOLUTION
gdemaria

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Eric Bourland

ASKER
gdemaria,

>>>In each of the lines, you have a ) before the equal sign and again after the variable name

Of course. Thank you. =)

I believe it is working. I tested by typing

"><script>alert("XSS")</script><

into the text update field; then saved the page. Then I view the updated page, but a javascript alert does not pop up, and in the source code the script tags have been removed. However I can paste in all other HTML. This is exactly what I needed.

>>>Don't confuse SQL injection attacks with XSS attacks.

Yep. I understand the difference. We handled a SQL injection in April of 2010 -- I remember it well.

brijeshchauhan and srikanthmadis, I am going to check out portcullis further. At this point I feel I am pretty well protected; I have a password-protected edit page that does not allow the script tag, but allows embed, object, and most other HTML tags.

I also found an option in TinyMCE that strips away selected tags:

invalid_elements : "b,i,script",

I added this line to my TinyMCE initialization code, to disallow the deprecated tags "i" and "b" and the dangerous tag "script".

I'm going to allow iframes for now. YouTube uses them, and this client embeds video from Youtube, so for now I need to accommodate her need for iframes unless a real security problem comes up.

I really appreciate all input. I'm going to close this question, with a lot of gratitude. I would like to award 500 points to everyone who contributed. I will give the majority of the points to gdemaria, who kept this question on task and provided an elegant solution. But I want to stress how grateful I am to myselfrandhawa, srikanthmadis…, and brijeshchauhan. I look forward to working with you again.

My small part of the internet is safer than it was before. ;-)

Eric
Eric Bourland

ASKER
Thank you gdemaria, myselfrandhawa, srikanthmadis…, and brijeshchauhan.

=)

Eric B
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
gdemaria

> a password-protected edit page

That really help also, attacks usually don't come from an area that is protected.. you can always identify the culprit :)