question about HTMLEditFormat()

Darn. I just typed a careful reply here, and lost it when I tried to include a screencast. ~sigh~

gdemaria it is good to hear from you.

I want to include almost all HTML. I use the TinyMCE editor to allow this client to enter content and update her web pages. I also need to use a wide range of HTML tags, so I don't want to block any valid HTML tags.

I would like to block stuff like <script>/remotehost/terriblescript.js</script>

So I don't know if the HTMLEditFormat function is what I need. The Nadel article was great -- I like his blog a lot -- but Nadel mentions that developers need to be careful about escaping necessary HTML. (There are also some interesting notes about the vulnerabilities of scriptProtect. I have disabled scriptProtect in application.cfc, so that my client can embed video and slideshows using EMBED and OBJECT tags. Yet I wonder if in doing so I have made my application more vulnerable.)

So, I have been reading about XSS vulnerabilities, and I want to secure my application against them as much as I can; however, I don't know if HTMLEditFormat is what I need.

HTMLEditFormat makes my test page display HTML code -- which makes sense, given the way that I have used it.

Is HTMLEditFormat the right solution for this task? Is there a better way to block:

<script>/remotehost/terriblescript.js</script>

Thank you again. Hope you are well.

Eric

Here is a post which talks about FORMS and XSS...

http://blog.webdh.com/index.cfm/2008/6/25/Useful-checks-to-test-for-XSS-attacks-on-your-ColdFusion-site

Brijesh, do you actually read anything before making your posts?  

The author wants to have HTML in this post so cannot use HTMLeditFormat(), script protection and cannot strip out all HTML as your links states.

Eric, you need to selectively remove the tags that you don't want as I showed in my post

brijeshchauhan, myselfrandhawa, and gdemaria,

I have a lot to think about, and much more reading and research to do.

I have indeed enabled Global Script Protection in ColdFusion Administrator.

However, in my application.cfc file, I disabled Global Script Protection using:

  <cfset this.scriptProtect = "No">

Why did I do that? Because Script Protection did not let me use EMBED and OBJECT tags, which are required when one wants to embed media from Flickr or Picasa. This feature is very important to this particular client.

This does make me a little nervous. Even though the administrative interface is inside a password protected folder, I don't like to have scriptProtect disabled without using some other kind of protection against XSS.

I will try gdemaria's script; I will also do some more reading as suggested by brijeshchauhan. I really appreciate everybody's very helpful comments. I will get back here later today. Hope you are all having a great day.

Eric

The author has mentioned this...

Where should I implement HTMLEditFormat() to add a little protection against XSS attacks?

So just had him show on it...

Anyways, if the post is not useful, then it can be ignored.. it's up to the author..

brij, I always appreciate your input.

I post many questions in this ColdFusion forum -- and I always get many very helpful replies. I have an abiding gratitude for everybody here.

I'm also aware that I need to contribute more, myself, in areas in which I have more experience: CSS, for example, and support for PC and Macintosh hardware and software.

Thank you for your help. =) I'm going to try gdemaria's Regular Expression Replace idea:

<cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>", "", "all")>

... and see what happens. I have read your replies carefully and I really appreciate your time.

Eric

@ eric, Its all Upon your requirements what exactly you want to try!

My Suggestion will be use all the inputs provided by us and implemented it!

My, Brij, gd all of us have provided you different approaches so i think you can create a combination of all three and that can help you a lot in making ur application secure!

if you want to know more about the stopping of attacks! just read the below:

http://www.coldfusioncookbook.com/entry/36/How-can-I-prevent-SQL-injection-attacks?

Eric, there is also one project called antisamy based on Java which can be used for protecting website against XSS attacks.. it's open source and can be downloaded from

http://code.google.com/p/owaspantisamy/downloads/list

and it's implementation is blogged in the following post

http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks

You can give it a try...

I'm working with gdemaria's idea to use <cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>", "", "all")>

I implemented that code in my edit page -- the page in which the user updates database records. I use this code, below:

 <!--- set up protection against XSS  --->

<cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
<cfset form.PageContentLeft) = ReReplaceNoCase (form.PageContentLeft), "<script.*?>.*?</script>", "", "all")>
<cfset form.PageContentRight) = ReReplaceNoCase (form.PageContentRight), "<script.*?>.*?</script>", "", "all")>

Select allOpen in new window

and I get an error, which I note below.

srikanthmadis, I saw the Portcullis application and it looks very useful -- and that is something I am going to check out further.

brij and myselfrandhawa -- I am going to follow up separately about the excellent resources that you have recommended. I do think that HTMLeditFormat() is not the right solution for this particular problem but I do see that it is very useful in other solutions. I really appreciate your help.

Per gdemaria's notes I am going to first try to get <cfset text = ReReplaceNoCase (text, "<script.*?>.*?</script>", "", "all")>
to work. That looks like a very useful solution for this particular problem.

Thanks again to all.

E

error text:

Error Occurred While Processing Request  
Invalid CFML construct found on line 14 at column 22.  
ColdFusion was looking at the following text:<p>)</p><p>The CFML compiler was processing:<ul><li>A cfset tag beginning on line 14, column 2.</ul>  
  
The error occurred in C:/websites/www.coalcountryteam.org/admin/editPages.cfm: line 14
 
12 : 
13 :  <!--- set up protection against XSS scripts --->
14 : <cfset form.PageTitle) = ReReplaceNoCase (form.PageTitle), "<script.*?>.*?</script>", "", "all")>
15 : <cfset form.PageContentLeft) = ReReplaceNoCase (form.PageContentLeft), "<script.*?>.*?</script>", "", "all")>
16 : <cfset form.PageContentRight) = ReReplaceNoCase (form.PageContentRight), "<script.*?>.*?</script>", "", "all")>

Select allOpen in new window

I might need to provide more information about the edit page -- it's simple. I use a CFINPUT tag to update PageTitle:

<p><strong>Page Title:</strong>
  	 <cfinput
     		type="Text"
			name="PageTitle"
			value="#Trim(form.PageTitle)#"
            message="Please enter a Document Title."
            required="Yes"
            validateAt="onSubmit,onServer" 
			size="50"
			maxlength="255"></p>

Select allOpen in new window

And I use a textarea input field to update Page Content for the left and right sides of the page; example:

 <textarea name="PageContentLeft"
   			width="770"
			height="800"
            style="width:770px;height:800px;" wrap="virtual">
 
            <cfoutput>#form.PageContentLeft#</cfoutput>
   
			</textarea>

Select allOpen in new window

I implement the TinyMCE javascript editor to apply a WYSIWYG interface to the textarea, for the convenience of the end user.

Eric ,

You can see the function filterTags in portcullis.cfc

@ all

I have heard a lot of portcullies, never used, But i will try it NOw

Thx

One addition to make, Check this article by SIDFISH' a Cf Community GURU

http://sidfishes.wordpress.com/2009/03/17/60/

gdemaria,

>>>In each of the lines, you have a ) before the equal sign and again after the variable name

Of course. Thank you. =)

I believe it is working. I tested by typing

"><script>alert("XSS")</script><

into the text update field; then saved the page. Then I view the updated page, but a javascript alert does not pop up, and in the source code the script tags have been removed. However I can paste in all other HTML. This is exactly what I needed.

>>>Don't confuse SQL injection attacks with XSS attacks.

Yep. I understand the difference. We handled a SQL injection in April of 2010 -- I remember it well.

brijeshchauhan and srikanthmadis, I am going to check out portcullis further. At this point I feel I am pretty well protected; I have a password-protected edit page that does not allow the script tag, but allows embed, object, and most other HTML tags.

I also found an option in TinyMCE that strips away selected tags:

invalid_elements : "b,i,script",

I added this line to my TinyMCE initialization code, to disallow the deprecated tags "i" and "b" and the dangerous tag "script".

I'm going to allow iframes for now. YouTube uses them, and this client embeds video from Youtube, so for now I need to accommodate her need for iframes unless a real security problem comes up.

I really appreciate all input. I'm going to close this question, with a lot of gratitude. I would like to award 500 points to everyone who contributed. I will give the majority of the points to gdemaria, who kept this question on task and provided an elegant solution. But I want to stress how grateful I am to myselfrandhawa, srikanthmadis…, and brijeshchauhan. I look forward to working with you again.

My small part of the internet is safer than it was before. ;-)

Eric

Thank you gdemaria, myselfrandhawa, srikanthmadis…, and brijeshchauhan.

=)

Eric B

> a password-protected edit page

That really help also, attacks usually don't come from an area that is protected.. you can always identify the culprit :)